[Samba] Cannot change passwords on Active Directory Samba from clients

Andrew Bartlett abartlet at samba.org
Sat Jun 3 06:55:21 UTC 2017 

On Fri, 2017-06-02 at 16:01 -0700, Luke Barone via samba wrote:
> Hi list,
> 
> We are working on getting Samba version 4.5.8-debian (on Stretch) with
> Active Directory running, and we are running into a major road block.
> Clients (Windows 7 Pro, Windows 10 Pro and Educational) cannot change their
> passwords on their own. We can force the user to reset the password for
> their next login (works), or reset the password with ADUC RSAT as the
> Domain Admin. If the user tries to use "Change Password" from the Ctrl Alt
> Delete menu, it fails with the message:
> 
> Unable to update the password. The value provided for the new password does
> not meet the length complexity, or history requirements of the domain
> 
> We are out of ideas, and Google is not helping much. Below is the smb.conf
> file from the main domain controller (we troubleshooted by even shutting
> down the secondary DC):
> 
> # Global parameters
> [global]
>  bind interfaces only = Yes
>  interfaces = lo enp0s17
>  netbios name = DC1
>  realm = <FQDN>
>  workgroup = <DOMAIN>
>  dns forwarder = <DNS SERVER>
>  server role = active directory domain controller
>  winbind separator = /
>  idmap_ldb:use rfc2307 = yes
>  comment =
> [netlogon]
>  path = /var/lib/samba/sysvol/<DOMAIN>/scripts
>  read only = No
> [sysvol]
>  path = /var/lib/samba/sysvol
>  read only = No
> 
> We have disabled all the password policies in Group Policy Management
> Console, as well as using samba-tool domain passwordsettings to disable any
> restrictions, such as minimum password age, and password complexity.

To be clear, only the samba-tool step makes any difference, we don't
honour the Group Policy settings on the DC.

Have you tried changing it to a absurdly complex password after
reducing the minimum age with samba-tool?

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list