[Samba] Can Logon & Join NT4-style Domain, Can't Change Password

Wietse Driever wdriever at gmail.com
Fri Aug 19 09:20:51 UTC 2016

Hallo All,

After updating Windows 10 to the latest versions i can confirm Windows 10
is also unable to change passwords.

I found this information:
Known issues in this security update

This security update disables the ability of the Negotiate process to fall
back to NTLM when Kerberos authentication fails for password change

Currently, the ability to change the passwords of disabled or locked-out
accounts is supported only by NTLM. It is not supported by the Kerberos
This security update prevents the Negotiate process from falling back to
NTLM for password change operations when Kerberos authentication fails.
therefore, you will no longer be able to change the password for disabled
or locked-out accounts after you install this security update.
It is not secure to change disabled or locked-out user account passwords by
using NTLM. This is why the ability of Negotiate to fall back to NTLM is
disabled by this security update.

Note Even though you can no longer change the password for disabled or
locked accounts, you can set the password by using Active Directory-based

I hope someone can help me fix this without having to block updates.
Because in Windows 10 it is part of a large cumulative update.



2016-08-19 10:27 GMT+02:00 Wietse Driever <wdriever at gmail.com>:

> Hello Bill,
> We have the same problems with our users. After some recent updates they
> are unable to change there passwords. We have many networks at different
> locations and more and more reports are starting to come in now.
> We are using:
> centos 6.8
> kernel: 2.6.32.-642.1.1.el6.x86_64
> smbd -V: 3.6.23-25.el6_7
> I noticed Windows 10 enterprise machines are not affected yet.
> I am sorry if my post was not correctly formatted, this is the first time
> and i did not have time to read all the rules. Just wanted to let you now
> we are facing the same issues. I still have to test the update rollback.
> I will let you all now if this also worked for us.
> Greetings,
> Wietse Driever

More information about the samba mailing list