[Samba] Changing expired Samba AD password during Windows login

Ken McDonald ken at generation.tech
Thu Jan 18 03:01:07 UTC 2018

I'm running a Samba AD 4.7.4 and cannot set a new password for a user 
with an expired password during login from a Windows PC. Changing a 
password from inside a login with cntl-alt-del "change password" works ok.

I've already decreased the minimum password age to 0

samba-tool domain passwordsettings show

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

My Samba install is brand new and the Windows PC is a clean test PC. I'm 
running on Ubuntu 16.04.3 and had to compile from source Samba 4.7.4 
after compiling from source krb5 1.15.2. All other build dependencies 
came from default Ubuntu 16.04.3 repos


# Global parameters
         dns forwarder = xxx.xxx.xxx.xxx
         netbios name = DCNAME
         realm = DOMAINNAME.DOMAIN.COM
         server role = active directory domain controller
         workgroup = DOMAINNAME
         idmap_ldb:use rfc2307 = yes

         log level = 5

         path = 
         read only = No

         path = /usr/local/samba/var/locks/sysvol
         read only = No

More information about the samba mailing list