[Samba] Password policy for user-managed passwords

Philippe LeCavalier support at plecavalier.com
Mon Nov 1 16:34:25 UTC 2021 

On Mon, Nov 1, 2021 at 10:30 AM Philippe LeCavalier <support at plecavalier.com>
wrote:

> On Mon, Nov 1, 2021 at 10:10 AM mj via samba <samba at lists.samba.org>
> wrote:
>
>> Perhaps your issue is described here:
>>
>> > There are two possible ways to modify the unicodePwd attribute. The
>> > first is similar to a normal user change password operation. In this
>> > case, the modify request must contain both a delete and an add
>> > operation. The delete operation must contain the current password
>> > with quotes around it. The add operation must contain the desired new
>> > password with quotes around it.
>> >
>> > The second way to modify this attribute is analogous to an
>> > administrator resetting a password for a user. In order to do this,
>> > the client must bind as a user with sufficient permissions to modify
>> > another user's password. This modify request should contain a single
>> > replace operation with the new desired password surrounded by quotes.
>> > If the client has sufficient permissions, this password becomes the
>> > new password, regardless of what the old password was.
>>
>> Read more here:
>>
>> https://docs.microsoft.com/en-us/troubleshoot/windows/win32/change-windows-active-directory-user-password
>>
>> MJ
>>
> If that were to be the case a newly created account would experience the
> same issue but it doesn't. New users can CTRL+ALT+DEL and change their
> passwords. I wonder if it might have to do with the particular user having
> the setexpiry to 0? I'll try setting it to 90 and see if she can change it.
>
Now that I think of it more, I may have the issue but I need help getting
to the solution.

This user account was most likely created using the GUI (RSAT) and the
'user connect change password' bit set. Whenever possible I use samba-tool
and have found that I haven't even touched RSAT for quite a while. If there
is no way to revert that setting via CLI then I'll have to get back into
RSAT. So my question now is, can I change that setting in samba-tool or
some other CLI-based way?

More information about the samba mailing list