[Samba] Changing expired Samba AD password during Windows login

Luke Barone lukebarone at gmail.com
Thu Jan 18 03:44:12 UTC 2018 

(Remember to reply all)

What error message, *specifically*, comes up when the user with the expired
password attempts to change it?

On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote:

> To test, I use a desktop OS (win8.1) with rsat installed to create a new
> user with ADUC and set the "user must change password at next logon" OR for
> an existing user, with ADUC under "Account" tab. check "user must change
> password at next logon."
>
> Then, when the test user actually logs in to a Windows OS (I've tested
> win8.1 and srv2012r2), they get a message like "your password has expired
> and must be changed." When "ok" is clicked, they get a prompt to enter old
> password, and new password x2. Entering all of those correctly, including
> complexity requirements, does not work and that is my problem. They get an
> immediate repeat of the "the password for this account has expired" and the
> process starts all over.
>
> However, if for a non-expired user, they log in successfully and choose
> cntl-alt-del they can successfully change their password.
>
> On 01/17/2018 10:27 PM, Luke Barone wrote:
>
> Are you trying to reset with the rsat tools, or the command line? What
> issue is happening when you try to set it?
>
> On Jan 17, 2018 7:14 PM, "Ken McDonald via samba" <samba at lists.samba.org>
> wrote:
>
>> I'm running a Samba AD 4.7.4 and cannot set a new password for a user
>> with an expired password during login from a Windows PC. Changing a
>> password from inside a login with cntl-alt-del "change password" works ok.
>>
>> I've already decreased the minimum password age to 0
>>
>> samba-tool domain passwordsettings show
>>
>> Password complexity: on
>> Store plaintext passwords: off
>> Password history length: 24
>> Minimum password length: 7
>> Minimum password age (days): 0
>> Maximum password age (days): 42
>> Account lockout duration (mins): 30
>> Account lockout threshold (attempts): 0
>> Reset account lockout after (mins): 30
>>
>> My Samba install is brand new and the Windows PC is a clean test PC. I'm
>> running on Ubuntu 16.04.3 and had to compile from source Samba 4.7.4 after
>> compiling from source krb5 1.15.2. All other build dependencies came from
>> default Ubuntu 16.04.3 repos
>>
>> smb.conf
>>
>> # Global parameters
>> [global]
>>         dns forwarder = xxx.xxx.xxx.xxx
>>         netbios name = DCNAME
>>         realm = DOMAINNAME.DOMAIN.COM
>>         server role = active directory domain controller
>>         workgroup = DOMAINNAME
>>         idmap_ldb:use rfc2307 = yes
>>
>>         log level = 5
>>
>> [netlogon]
>>         path = /usr/local/samba/var/locks/sysvol/
>> domainname.domain.com/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /usr/local/samba/var/locks/sysvol
>>         read only = No
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list