[Samba] `samba-tool user create --must-change-at-next-login my_user` doesn't appear to work on W10

Patrick Goetz pgoetz at math.utexas.edu
Sun Oct 31 14:14:21 UTC 2021

On 10/31/21 08:35, Rowland Penny via samba wrote:
> On Sun, 2021-10-31 at 08:23 -0500, Patrick Goetz via samba wrote:
>> Thanks, Roland. I always appreciate your help. I tried it both ways
>> (with option before and after the new user name). Same outcome.
>> But I figured out what was going wrong. The command line order of
>> the
>> option doesn't matter.  I've was creating users like this:
>>    # samba-tool user create dilbert --must-change-at-next-login
>>    # samba-tool user setexpiry dilbert --noexpiry
>> Setting the password expiration to no expiration seems to interfere
>> with
>> the reset password requirement.
>> If I just create a user like this:
>>    # samba-tool user create dolbert --must-change-at-next-login
>> or
>>    # samba-tool user create --must-change-at-next-login dulbert
>> Then W10 demands a password change before allowing the user to log
>> in.
>> On the one hand I can see why this might work this way, but it's not
>> logically correct. Requiring a change of password on first login is
>> entirely independent of whether passwords should expire or not.
> If you think it is illogical, take that up with Microsoft. You are
> basically saying 'Expire this users password, but never expire this
> users password'.

Yeah, maybe. In systemd terminology, the initial password change is like 
a "oneshot" service, whereas password expiry is a system policy; I view 
these as different things.

lol, "Take that up with Microsoft" is like asking someone to rail at Mt. 
Olympus. Or asking a Chicagoan to meet you at the corner of Addison and 
Madison. I've spent a ridiculous amount of money on an OS I don't even 
like to use because my kids like to play Windows games. The way I use 
windows is to install it in a VM with no modifications, call this VM 
"pristine", clone it, and then only work with the clone until I screw it 
up.  Then delete the clone and start over from pristine.  This has 
worked fine with every version of Windows until 10. When I try to clone 
and use a licensed Windows 10 VM it tells me my license isn't valid in 
the clone and that I need to contact MS support. So I call MS support 
and they tell me I have an invalid license.

"You have a bootleg Windows 10 license and need to spend $199 at the MS 
store to get a real one"
"But it's perfectly valid in the original VM?"
"You have a bootleg license and need to spend $199 at the MS store to 
get a real one"

My guess as to what is happening is when you launch w!0, it registers 
the license and host identifier in some database. If it sees a new host 
identifier with the same license in too short of a period of time, it 
doesn't pass the licensing test and they tell you to call support. This 
is why they include the message about "if you've made significant 
hardware changes, you must call support".  It must be a temporal hold, 
because I previously used this license on a test bare metal install a 
while back, and it didn't complain when I subsequently used the same 
license to create the initial W10 VM.  Anyway, the solution is to 
snapshot and just work from the original; then restore from snapshot 
once the inevitable registry immolation occurs.

More information about the samba mailing list