[Samba] Samba AD DC: users cannot change expired passwords
Kees van Vloten
keesvanvloten at gmail.com
Mon Sep 25 13:45:23 UTC 2023
Now it becomes really interesting:
I just tested what happens when I set "the user must change the password
on the next login". Then, on my Samba domain controller, I used
kinit <the user name>
and entered the current password. Surprisinlgy, I got the message from
Kerberos
"Password for the user is expired. You must change it now."
And I can change the password! afterwards, when I go back to "Active
Directory Users and Computers", the tick mark at "user must change
password at next login" is gone. So at least Kerberos behaves totally
correctly and the password is also changed correctly.
Tobias
On Mon, Sep 25, 2023 at 1:20 PM Kees van Vloten via samba
<samba at lists.samba.org> wrote:
Op 25-09-2023 om 11:54 schreef Pluess, Tobias via samba:
> Hi all,
> I am running a Samba AD DC (version 4.18.6). It basically works
very well.
> However when testing, I found the following issue:
>
> I create a new user account in AD, provide an initial password
and set
> "user must change the password at the next login".
> I have only a Windows 10 machine to test, so I am going to the
Windows 10
> machine and try to login with the newly created user account and
initial
> password. Windows then correctly display "the password is
expired" and
> provides a dialog to enter the new password. However when the new
password
> is entered and confirmed with "OK", I get again the message "the
password
> is expired". No matter what, I cannot get around this message and
the newly
> created user is never able to log in.
> Further, what is even more strange is, that I can even get the
message
> about the expired password when I enter something completely
different than
> the initial password. I can essentially enter anything, even a blank
> password, and get the message "the password is expired" and I am
never
> able to change it.
>
> Only when I log in as the domain admin, I can reset the user's
password.
>
> I already changed password history and min-password-age and so on
to 0, but
> it still does not yet work. However, luckily, users are able to
change
> their own password using ctrl+alt+delete. However, why does it
not work
> during login?
>
> I have already seen other people had similar issues on Windows
10, but I
> didn't find out if anybody ever found a solution to this problem.
>
> I am happy for any hints.
>
> Thanks,
> best
> Tobias
I have experienced exactly the same issue (also on 4.18.6). Even with
kinit on Linux you cannot change an expired password.
- Kees.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list