[Samba] Changing expired Samba AD password during Windows login

Ken McDonald ken at generation.tech
Thu Jan 18 03:48:29 UTC 2018 

On win8.1 & srv2012r2 it is "The password for this account has expired"


On 01/17/2018 10:44 PM, Luke Barone wrote:
> (Remember to reply all)
>
> What error message, *specifically*, comes up when the user with the 
> expired password attempts to change it?
>
> On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote:
>
>     To test, I use a desktop OS (win8.1) with rsat installed to create
>     a new user with ADUC and set the "user must change password at
>     next logon" OR for an existing user, with ADUC under "Account"
>     tab. check "user must change password at next logon."
>
>     Then, when the test user actually logs in to a Windows OS (I've
>     tested win8.1 and srv2012r2), they get a message like "your
>     password has expired and must be changed." When "ok" is clicked,
>     they get a prompt to enter old password, and new password x2.
>     Entering all of those correctly, including complexity
>     requirements, does not work and that is my problem. They get an
>     immediate repeat of the "the password for this account has
>     expired" and the process starts all over.
>
>     However, if for a non-expired user, they log in successfully and
>     choose cntl-alt-del they can successfully change their password.
>
>
>     On 01/17/2018 10:27 PM, Luke Barone wrote:
>>     Are you trying to reset with the rsat tools, or the command line?
>>     What issue is happening when you try to set it?
>>
>>     On Jan 17, 2018 7:14 PM, "Ken McDonald via samba"
>>     <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>
>>         I'm running a Samba AD 4.7.4 and cannot set a new password
>>         for a user with an expired password during login from a
>>         Windows PC. Changing a password from inside a login with
>>         cntl-alt-del "change password" works ok.
>>
>>         I've already decreased the minimum password age to 0
>>
>>         samba-tool domain passwordsettings show
>>
>>         Password complexity: on
>>         Store plaintext passwords: off
>>         Password history length: 24
>>         Minimum password length: 7
>>         Minimum password age (days): 0
>>         Maximum password age (days): 42
>>         Account lockout duration (mins): 30
>>         Account lockout threshold (attempts): 0
>>         Reset account lockout after (mins): 30
>>
>>         My Samba install is brand new and the Windows PC is a clean
>>         test PC. I'm running on Ubuntu 16.04.3 and had to compile
>>         from source Samba 4.7.4 after compiling from source krb5
>>         1.15.2. All other build dependencies came from default Ubuntu
>>         16.04.3 repos
>>
>>         smb.conf
>>
>>         # Global parameters
>>         [global]
>>                 dns forwarder = xxx.xxx.xxx.xxx
>>                 netbios name = DCNAME
>>                 realm = DOMAINNAME.DOMAIN.COM
>>         <http://DOMAINNAME.DOMAIN.COM>
>>                 server role = active directory domain controller
>>                 workgroup = DOMAINNAME
>>                 idmap_ldb:use rfc2307 = yes
>>
>>                 log level = 5
>>
>>         [netlogon]
>>                 path =
>>         /usr/local/samba/var/locks/sysvol/domainname.domain.com/scripts
>>         <http://domainname.domain.com/scripts>
>>                 read only = No
>>
>>         [sysvol]
>>                 path = /usr/local/samba/var/locks/sysvol
>>                 read only = No
>>
>>
>>         -- 
>>         To unsubscribe from this list go to the following URL and
>>         read the
>>         instructions: https://lists.samba.org/mailman/options/samba
>>         <https://lists.samba.org/mailman/options/samba>
>>
>

More information about the samba mailing list