[Samba] Samba AD DC: users cannot change expired passwords

Pluess, Tobias tpluess at ieee.org
Mon Sep 25 09:54:31 UTC 2023

 Hi all,
I am running a Samba AD DC (version 4.18.6). It basically works very well.
However when testing, I found the following issue:

I create a new user account in AD, provide an initial password and set
"user must change the password at the next login".
I have only a Windows 10 machine to test, so I am going to the Windows 10
machine and try to login with the newly created user account and initial
password. Windows then correctly display "the password is expired" and
provides a dialog to enter the new password. However when the new password
is entered and confirmed with "OK", I get again the message "the password
is expired". No matter what, I cannot get around this message and the newly
created user is never able to log in.
Further, what is even more strange is, that I can even get the message
about the expired password when I enter something completely different than
the initial password. I can essentially enter anything, even a blank
password,  and get the message "the password is expired" and I am never
able to change it.

Only when I log in as the domain admin, I can reset the user's password.

I already changed password history and min-password-age and so on to 0, but
it still does not yet work. However, luckily, users are able to change
their own password using ctrl+alt+delete. However, why does it not work
during login?

I have already seen other people had similar issues on Windows 10, but I
didn't find out if anybody ever found a solution to this problem.

I am happy for any hints.


More information about the samba mailing list