[Samba] `samba-tool user create --must-change-at-next-login my_user` doesn't appear to work on W10

Patrick Goetz pgoetz at math.utexas.edu
Sun Oct 31 13:23:58 UTC 2021

Thanks, Roland. I always appreciate your help. I tried it both ways 
(with option before and after the new user name). Same outcome.

But I figured out what was going wrong. The command line order of the 
option doesn't matter.  I've was creating users like this:

  # samba-tool user create dilbert --must-change-at-next-login
  # samba-tool user setexpiry dilbert --noexpiry

Setting the password expiration to no expiration seems to interfere with 
the reset password requirement.

If I just create a user like this:

  # samba-tool user create dolbert --must-change-at-next-login
  # samba-tool user create --must-change-at-next-login dulbert

Then W10 demands a password change before allowing the user to log in.

On the one hand I can see why this might work this way, but it's not 
logically correct. Requiring a change of password on first login is 
entirely independent of whether passwords should expire or not.

On 10/31/21 04:10, Rowland Penny via samba wrote:
> On Sat, 2021-10-30 at 17:32 -0500, Patrick Goetz via samba wrote:
>> I created a user my_user as so:
>>      samba-tool user create --must-change-at-next-login my_user
>> But in logging in on a domain-joined Windows 10 machine as my_user,
>> it
>> never asked me to change my password.  I tried logging out and
>> logging
>> back in multiple times.
>> Am I missing some trick?
> The usage is samba-tool user create <username> [<password>] [options]
> You appear to have used: samba-tool user create [options] <username>
> Not sure if this has any bearing though. Ultimately adding --must-
> change-at-next-login sets the users pwdLastSet attribute to 0, so you
> could check if this is happening.
> Rowland

More information about the samba mailing list