[Samba] Changing expired Samba AD password during Windows login
ken at generation.tech
Thu Jan 18 03:48:29 UTC 2018
On win8.1 & srv2012r2 it is "The password for this account has expired"
On 01/17/2018 10:44 PM, Luke Barone wrote:
> (Remember to reply all)
> What error message, *specifically*, comes up when the user with the
> expired password attempts to change it?
> On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote:
> To test, I use a desktop OS (win8.1) with rsat installed to create
> a new user with ADUC and set the "user must change password at
> next logon" OR for an existing user, with ADUC under "Account"
> tab. check "user must change password at next logon."
> Then, when the test user actually logs in to a Windows OS (I've
> tested win8.1 and srv2012r2), they get a message like "your
> password has expired and must be changed." When "ok" is clicked,
> they get a prompt to enter old password, and new password x2.
> Entering all of those correctly, including complexity
> requirements, does not work and that is my problem. They get an
> immediate repeat of the "the password for this account has
> expired" and the process starts all over.
> However, if for a non-expired user, they log in successfully and
> choose cntl-alt-del they can successfully change their password.
> On 01/17/2018 10:27 PM, Luke Barone wrote:
>> Are you trying to reset with the rsat tools, or the command line?
>> What issue is happening when you try to set it?
>> On Jan 17, 2018 7:14 PM, "Ken McDonald via samba"
>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>> I'm running a Samba AD 4.7.4 and cannot set a new password
>> for a user with an expired password during login from a
>> Windows PC. Changing a password from inside a login with
>> cntl-alt-del "change password" works ok.
>> I've already decreased the minimum password age to 0
>> samba-tool domain passwordsettings show
>> Password complexity: on
>> Store plaintext passwords: off
>> Password history length: 24
>> Minimum password length: 7
>> Minimum password age (days): 0
>> Maximum password age (days): 42
>> Account lockout duration (mins): 30
>> Account lockout threshold (attempts): 0
>> Reset account lockout after (mins): 30
>> My Samba install is brand new and the Windows PC is a clean
>> test PC. I'm running on Ubuntu 16.04.3 and had to compile
>> from source Samba 4.7.4 after compiling from source krb5
>> 1.15.2. All other build dependencies came from default Ubuntu
>> 16.04.3 repos
>> # Global parameters
>> dns forwarder = xxx.xxx.xxx.xxx
>> netbios name = DCNAME
>> realm = DOMAINNAME.DOMAIN.COM
>> server role = active directory domain controller
>> workgroup = DOMAINNAME
>> idmap_ldb:use rfc2307 = yes
>> log level = 5
>> path =
>> read only = No
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>> To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba