[Samba] Cannot change passwords on Active Directory Samba from clients

[Luke Barone]

Hi list,

We are working on getting Samba version 4.5.8-debian (on Stretch) with
Active Directory running, and we are running into a major road block.
Clients (Windows 7 Pro, Windows 10 Pro and Educational) cannot change their
passwords on their own. We can force the user to reset the password for
their next login (works), or reset the password with ADUC RSAT as the
Domain Admin. If the user tries to use "Change Password" from the Ctrl Alt
Delete menu, it fails with the message:

Unable to update the password. The value provided for the new password does
not meet the length complexity, or history requirements of the domain

We are out of ideas, and Google is not helping much. Below is the smb.conf
file from the main domain controller (we troubleshooted by even shutting
down the secondary DC):

# Global parameters
[global]
 bind interfaces only = Yes
 interfaces = lo enp0s17
 netbios name = DC1
 realm = <FQDN>
 workgroup = <DOMAIN>
 dns forwarder = <DNS SERVER>
 server role = active directory domain controller
 winbind separator = /
 idmap_ldb:use rfc2307 = yes
 comment =
[netlogon]
 path = /var/lib/samba/sysvol/<DOMAIN>/scripts
 read only = No
[sysvol]
 path = /var/lib/samba/sysvol
 read only = No

We have disabled all the password policies in Group Policy Management
Console, as well as using samba-tool domain passwordsettings to disable any
restrictions, such as minimum password age, and password complexity.

What are our next steps?