[Samba] Changing expired Samba AD password during Windows login
ken at generation.tech
Thu Jan 18 14:22:27 UTC 2018
Hi, thanks for your help. Your suggestion makes sense, however I think there should be some way for users to be able to change an expired password from login dialogue.
Actually I had a problem doing this previously with NT4 style Samba domain and never looked into a resolution.
Now that I've found Samba does AD style domain, I'm excited to use it in several customer locations.
Since I can't find any info in the Samba documentation about a known problem or FAQ about expired password during Windows OS login, I figured it's /supposed/ to work.
Sent from my U.S. Cellular® Smartphone
-------- Original message --------
From: Harsh Kukreja <h.kukreja at ium.edu.na>
Date: 01/18/2018 8:43 AM (GMT-05:00)
To: Ken McDonald <ken at generation.tech>
Cc: Luke Barone <lukebarone at gmail.com>, samba <samba at lists.samba.org>
Subject: Re: [Samba] Changing expired Samba AD password during Windows login
I was experiencing a similar problem with the passwords few days back when the staff resumed to work after a months vacation. The clients are Windows 7 PC's which were failing to login with an error"The password for this account has expired" even after a password reset from RSAT.
Solutions which worked for me:When you are resetting use password uncheck the option to change password on next login which means user can login with the new password and later they can change it from the ctrl+alt+del menu.
To reset the user password without checking to change password on next login you can use the below command line: samba-tool user setpassword --filter=samaccountname=username --newpassword=password
or you can also use command below to reset the user password if you remember the old password kpasswd username
Also you can change password settings on Samba 4 using the command belowsamba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=90
Thanks n Regards
Harsh Kukreja Systems Administrator International University of Namibia Tel: 061-4336000 - E-mail: h.kukreja at ium.edu.na - Web: http://www.ium.edu.na
Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA
On Thu, Jan 18, 2018 at 5:48 AM, Ken McDonald via samba <samba at lists.samba.org> wrote:
On win8.1 & srv2012r2 it is "The password for this account has expired"
On 01/17/2018 10:44 PM, Luke Barone wrote:
(Remember to reply all)
What error message, *specifically*, comes up when the user with the expired password attempts to change it?
On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote:
To test, I use a desktop OS (win8.1) with rsat installed to create
a new user with ADUC and set the "user must change password at
next logon" OR for an existing user, with ADUC under "Account"
tab. check "user must change password at next logon."
Then, when the test user actually logs in to a Windows OS (I've
tested win8.1 and srv2012r2), they get a message like "your
password has expired and must be changed." When "ok" is clicked,
they get a prompt to enter old password, and new password x2.
Entering all of those correctly, including complexity
requirements, does not work and that is my problem. They get an
immediate repeat of the "the password for this account has
expired" and the process starts all over.
However, if for a non-expired user, they log in successfully and
choose cntl-alt-del they can successfully change their password.
On 01/17/2018 10:27 PM, Luke Barone wrote:
Are you trying to reset with the rsat tools, or the command line?
What issue is happening when you try to set it?
On Jan 17, 2018 7:14 PM, "Ken McDonald via samba"
<samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
I'm running a Samba AD 4.7.4 and cannot set a new password
for a user with an expired password during login from a
Windows PC. Changing a password from inside a login with
cntl-alt-del "change password" works ok.
I've already decreased the minimum password age to 0
samba-tool domain passwordsettings show
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
My Samba install is brand new and the Windows PC is a clean
test PC. I'm running on Ubuntu 16.04.3 and had to compile
from source Samba 4.7.4 after compiling from source krb5
1.15.2. All other build dependencies came from default Ubuntu
# Global parameters
dns forwarder = xxx.xxx.xxx.xxx
netbios name = DCNAME
realm = DOMAINNAME.DOMAIN.COM
server role = active directory domain controller
workgroup = DOMAINNAME
idmap_ldb:use rfc2307 = yes
log level = 5
read only = No
path = /usr/local/samba/var/locks/sysvol
read only = No
-- To unsubscribe from this list go to the following URL and
To unsubscribe from this list go to the following URL and read the
More information about the samba