[Samba] Can't force Windows users to change password at next login since upgrade to Samba4

Brett Charbeneau brett at happysnowman.com
Mon Jul 6 21:18:15 UTC 2015

I would be VERY grateful for anyone who can find time to offer a tip or 

     I upgraded an Ubuntu LTS server (running Samba 3.X) to the latest 
version (running Samba 4.1.6) a few months ago and a bothersome issue 
persists with forcing Windows users to change their password at the next 
     This command used to do the trick

net sam set pwdmustchangenow <username> yes

     and indeed the user is prompted to change their password now, but 
they are always given an "Access is denied" message upon entering a new 
password selection twice. The error recorded by Samba at the client log 
appears to be related to PAM:

[2015/07/06 16:10:59.294295,  0] 
   pipe_schannel_auth_bind: Attempt to bind using schannel without 
successful serverauth2
[2015/07/06 16:11:01.067248,  0] 
   pipe_schannel_auth_bind: Attempt to bind using schannel without 
successful serverauth2

     We use the tdbsam backend and the server in question is a primary 
domain controller. We do have libpam-smbpass installed.

     I tried

pdbedit -P "maximum password age" -C 0 -u <username>

     with the same results.


          passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
          obey pam restrictions = yes
          admin users = administrator @smbadmins root
          show add printer wizard = yes
          passwd program = /usr/bin/passwd %u
          dns proxy = no
          logon script = logon.bat
          time server = yes
          logon path =
          netbios name = PDC
          printing = cups
          default = Data
          local master = yes
          workgroup = WORKER
          os level = 64
          printcap name = cups
          security = user
          add machine script = /usr/sbin/useradd -s /bin/false -d 
/nonexistent '%u' -g smbmachines
          max log size = 1000
          delete user script = /usr/sbin/userdel -r '%u'
          log file = /var/log/samba/log.%m
          guest account = nobody
          add group script = /usr/sbin/groupadd '%g'
          socket options = TCP_NODELAY
          delete group script = /usr/sbin/groupdel '%g'
          add user to group script = /usr/sbin/usermod -G '%g' '%u'
          domain master = yes
          encrypt passwords = true
          passdb backend = tdbsam
          wins support = true
          server string = WORK Domain Controller
          path = /shares/data
          unix password sync = yes
          comment =  Project and User Folders
          add user script = /usr/sbin/useradd -m '%u' -g smbusers -G 
          syslog = 0
          panic action = /usr/share/samba/panic-action %d
          domain logons = yes
          pam password change = yes
          enable privileges = Yes
          rename user script = /usr/sbin/usermod -l '%unew' '%uold'
          create mask = 0775
          directory mask = 0775

      comment = Network Logon Service
      path = /export/logon
      read only = yes
      valid users = root @smbadmins @smbusers @WORKers

          comment = Projects and User Files
          path = /shares/data
          writeable = Yes
          create mask = 775
          directory mask = 0770
          browseable = Yes
          inherit permissions = Yes


@include common-auth
@include common-account
@include common-session-noninteractive
@include common-password

Brett Charbeneau
brett at happysnowman.com

More information about the samba mailing list