[Samba] Changing expired Samba AD password during Windows login
Ken McDonald
ken at generation.tech
Sat Jan 20 14:38:59 UTC 2018
Thanks for the suggestion but it didn't help in my situation. Odd.
On 01/18/2018 10:13 AM, lingpanda101 wrote:
> On 1/18/2018 9:22 AM, Ken McDonald via samba wrote:
>> Hi, thanks for your help. Your suggestion makes sense, however I
>> think there should be some way for users to be able to change an
>> expired password from login dialogue.
>> Actually I had a problem doing this previously with NT4 style Samba
>> domain and never looked into a resolution.
>> Now that I've found Samba does AD style domain, I'm excited to use it
>> in several customer locations.
>> Since I can't find any info in the Samba documentation about a known
>> problem or FAQ about expired password during Windows OS login, I
>> figured it's /supposed/ to work.
>>
>>
>> Sent from my U.S. Cellular® Smartphone
>>
>> -------- Original message --------
>> From: Harsh Kukreja <h.kukreja at ium.edu.na>
>> Date: 01/18/2018 8:43 AM (GMT-05:00)
>> To: Ken McDonald <ken at generation.tech>
>> Cc: Luke Barone <lukebarone at gmail.com>, samba <samba at lists.samba.org>
>> Subject: Re: [Samba] Changing expired Samba AD password during
>> Windows login
>>
>> Hi Ken
>> I was experiencing a similar problem with the passwords few days back
>> when the staff resumed to work after a months vacation. The clients
>> are Windows 7 PC's which were failing to login with an error"The
>> password for this account has expired" even after a password reset
>> from RSAT.
>> Solutions which worked for me:When you are resetting use password
>> uncheck the option to change password on next login which means user
>> can login with the new password and later they can change it from the
>> ctrl+alt+del menu.
>> To reset the user password without checking to change password on
>> next login you can use the below command line: samba-tool user
>> setpassword --filter=samaccountname=username --newpassword=password
>> or you can also use command below to reset the user password if you
>> remember the old password kpasswd username
>> Also you can change password settings on Samba 4 using the command
>> belowsamba-tool domain passwordsettings set --history-length=0
>> samba-tool domain passwordsettings set --min-pwd-age=0
>> samba-tool domain passwordsettings set --max-pwd-age=90
>>
>> Thanks n Regards
>>
>>
>>
>> Harsh Kukreja Systems Administrator International University of
>> Namibia Tel: 061-4336000 -
>> E-mail: h.kukreja at ium.edu.na - Web: http://www.ium.edu.na
>> Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
>> Windhoek, NAMIBIA
>>
>>
>>
>>
>>
>>
>> On Thu, Jan 18, 2018 at 5:48 AM, Ken McDonald via samba
>> <samba at lists.samba.org> wrote:
>> On win8.1 & srv2012r2 it is "The password for this account has expired"
>>
>>
>>
>>
>>
>> On 01/17/2018 10:44 PM, Luke Barone wrote:
>>
>>
>> (Remember to reply all)
>>
>>
>>
>> What error message, *specifically*, comes up when the user with the
>> expired password attempts to change it?
>>
>>
>>
>> On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote:
>>
>>
>>
>> To test, I use a desktop OS (win8.1) with rsat installed to create
>>
>> a new user with ADUC and set the "user must change password at
>>
>> next logon" OR for an existing user, with ADUC under "Account"
>>
>> tab. check "user must change password at next logon."
>>
>>
>>
>> Then, when the test user actually logs in to a Windows OS (I've
>>
>> tested win8.1 and srv2012r2), they get a message like "your
>>
>> password has expired and must be changed." When "ok" is clicked,
>>
>> they get a prompt to enter old password, and new password x2.
>>
>> Entering all of those correctly, including complexity
>>
>> requirements, does not work and that is my problem. They get an
>>
>> immediate repeat of the "the password for this account has
>>
>> expired" and the process starts all over.
>>
>>
>>
>> However, if for a non-expired user, they log in successfully and
>>
>> choose cntl-alt-del they can successfully change their password.
>>
>>
>>
>>
>>
>> On 01/17/2018 10:27 PM, Luke Barone wrote:
>>
>>
>> Are you trying to reset with the rsat tools, or the command line?
>>
>> What issue is happening when you try to set it?
>>
>>
>>
>> On Jan 17, 2018 7:14 PM, "Ken McDonald via samba"
>>
>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>
>>
>>
>> I'm running a Samba AD 4.7.4 and cannot set a new password
>>
>> for a user with an expired password during login from a
>>
>> Windows PC. Changing a password from inside a login with
>>
>> cntl-alt-del "change password" works ok.
>>
>>
>>
>> I've already decreased the minimum password age to 0
>>
>>
>>
>> samba-tool domain passwordsettings show
>>
>>
>>
>> Password complexity: on
>>
>> Store plaintext passwords: off
>>
>> Password history length: 24
>>
>> Minimum password length: 7
>>
>> Minimum password age (days): 0
>>
>> Maximum password age (days): 42
>>
>> Account lockout duration (mins): 30
>>
>> Account lockout threshold (attempts): 0
>>
>> Reset account lockout after (mins): 30
>>
>>
>>
>> My Samba install is brand new and the Windows PC is a clean
>>
>> test PC. I'm running on Ubuntu 16.04.3 and had to compile
>>
>> from source Samba 4.7.4 after compiling from source krb5
>>
>> 1.15.2. All other build dependencies came from default Ubuntu
>>
>> 16.04.3 repos
>>
>>
>>
>> smb.conf
>>
>>
>>
>> # Global parameters
>>
>> [global]
>>
>> dns forwarder = xxx.xxx.xxx.xxx
>>
>> netbios name = DCNAME
>>
>> realm = DOMAINNAME.DOMAIN.COM
>>
>> <http://DOMAINNAME.DOMAIN.COM>
>>
>> server role = active directory domain controller
>>
>> workgroup = DOMAINNAME
>>
>> idmap_ldb:use rfc2307 = yes
>>
>>
>>
>> log level = 5
>>
>>
>>
>> [netlogon]
>>
>> path =
>>
>> /usr/local/samba/var/locks/sysvol/domainname.domain.com/scripts
>>
>> <http://domainname.domain.com/scripts>
>>
>> read only = No
>>
>>
>>
>> [sysvol]
>>
>> path = /usr/local/samba/var/locks/sysvol
>>
>> read only = No
>>
>>
>>
>>
>>
>> -- To unsubscribe from this list go to the following
>> URL and
>>
>> read the
>>
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>> <https://lists.samba.org/mailman/options/samba>
>>
>>
>>
>>
>>
>>
>>
>>
>>
> I've had this issue sporadically as well from time to time. I've
> found that once the user changes his/her password, when the process
> restarts cancel the subsequent try. Choose switch user, other user and
> try logging in with the new password. Make sure you switch other user
> and retype the username. This has worked but is annoying.
>
More information about the samba
mailing list