[Samba] Changing expired Samba AD password during Windows login

Ken McDonald ken at generation.tech
Sat Jan 20 14:39:33 UTC 2018

Thanks for the help, however I don't think your suggestion applies in my 
case. On a fresh install of Samba 4.7.4 AD you cannot change a user 
password on a logged in PC through cntl-alt-del -> ChangePassword 
because the default MinAge is 1 days. I had to use the "samba-tool 
domain passwordsettings set --min-pwd-age=0" command to make the 
logged-on style of password change work.

All that remains is getting the PasswordChange "during login" to work.

Maybe I don't understand your suggestion. What GPO should I adjust so 
that a domain user can change their own expired password when they log 
into a domain-connected Windows desktop OS?

On 01/19/2018 04:31 AM, Marco Gaiarin via samba wrote:
> Mandi! Ken McDonald via samba
>    In chel di` si favelave...
>> I'm running a Samba AD 4.7.4 and cannot set a new password for a user with
>> an expired password during login from a Windows PC. Changing a password from
>> inside a login with cntl-alt-del "change password" works ok.
> [...]
>> samba-tool domain passwordsettings show
> Have you set the GPOs?
> 'samba-tool domain passwordsettings' works, as a ''global policy'', for
> samba domain controller only.
> For clients (and windows domain members, in general) you have to set
> the same policy in GPO.
> Last announcment of 4.8 beta seems this have been 'fixed', eg also
> samba domain controllers now obey to GPOs policy.

More information about the samba mailing list