[Samba] Password change **apparently** failing in Windows 10 with 4.7.1

Nick Howitt nick at howitts.co.uk
Mon Feb 18 12:03:23 UTC 2019 

I have a server running 4.7.1 in PDC mode (NT4-style domain) and we've 
noticed that when changing passwords now in Window10 the change happens 
but Windows 10 comes back with a "username or password incorrect" 
message. Logging off and logging on again shows that the password change 
has, in fact, worked as the new password is required. Similarly logging 
straight into the server shows the password change has worked.

My smb.conf is:

[global]
ntlm auth = yes
unix password sync = Yes
netbios name = MyServer
workgroup = CLEARSYSTEM
server string = MyServer
security = user
log level = 1
log file = /var/log/samba/%L-%m
max log size = 0
utmp = Yes
interfaces = lo enp2s0f1
printcap name = /etc/printcap
load printers = Yes
guest account = guest
wins support = Yes
wins server =
domain logons = Yes
add machine script = /usr/sbin/samba-add-machine "%u"
logon drive = U:
logon script = logon.cmd
logon path =
logon home = \\%L\%U
idmap config * : backend = ldap
idmap config * : range = 20000000-29999999
winbind enum users = Yes
winbind enum groups = Yes
winbind expand groups = 1
winbind offline logon = Yes
winbind use default domain = true
winbind separator = +
template homedir = /home/%U
template shell = /sbin/nologin
preferred master = Yes
domain master = Yes
passwd program = /usr/sbin/userpasswd %u
passwd chat = *password:* %n\n *password:* %n\n *successfully.*
passwd chat timeout = 10
username map = /etc/samba/smbusers
wide links = No
allow trusted domains = Yes
include = /etc/samba/smb.ldap.conf
include = /etc/samba/smb.winbind.conf
include = /etc/samba/flexshare.conf

/etc/samba/smb.ldap.conf is:
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=manager,ou=Internal,dc=system,dc=lan
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap passwd sync = No
ldap suffix = dc=system,dc=lan
ldap user suffix = ou=Users,ou=Accounts
ldap connection timeout = 8
ldap ssl = Off

and /etc/samba/smb.winbind.conf is:
idmap config * : ldap_url = ldap://127.0.0.1
idmap config * : ldap_base_dn = ou=Idmap,dc=system,dc=lan
idmap config * : ldap_user_dn = cn=manager,ou=Internal,dc=system,dc=lan

/etc/samba/flexshare.conf contains a shate definition and I have left 
out the default shares.

I have tried with "ntlm auth = yes" and "ntlm auth = no".

Do you have any idea why this is happening? Or is it a question for Windows?

Thanks,

Nick

More information about the samba mailing list