[Samba] Samba AD DC: users cannot change expired passwords
Kees van Vloten
keesvanvloten at gmail.com
Mon Sep 25 13:45:23 UTC 2023
Now it becomes really interesting:
I just tested what happens when I set "the user must change the password
on the next login". Then, on my Samba domain controller, I used
kinit <the user name>
and entered the current password. Surprisinlgy, I got the message from
"Password for the user is expired. You must change it now."
And I can change the password! afterwards, when I go back to "Active
Directory Users and Computers", the tick mark at "user must change
password at next login" is gone. So at least Kerberos behaves totally
correctly and the password is also changed correctly.
On Mon, Sep 25, 2023 at 1:20 PM Kees van Vloten via samba
<samba at lists.samba.org> wrote:
Op 25-09-2023 om 11:54 schreef Pluess, Tobias via samba:
> Hi all,
> I am running a Samba AD DC (version 4.18.6). It basically works
> However when testing, I found the following issue:
> I create a new user account in AD, provide an initial password
> "user must change the password at the next login".
> I have only a Windows 10 machine to test, so I am going to the
> machine and try to login with the newly created user account and
> password. Windows then correctly display "the password is
> provides a dialog to enter the new password. However when the new
> is entered and confirmed with "OK", I get again the message "the
> is expired". No matter what, I cannot get around this message and
> created user is never able to log in.
> Further, what is even more strange is, that I can even get the
> about the expired password when I enter something completely
> the initial password. I can essentially enter anything, even a blank
> password, and get the message "the password is expired" and I am
> able to change it.
> Only when I log in as the domain admin, I can reset the user's
> I already changed password history and min-password-age and so on
to 0, but
> it still does not yet work. However, luckily, users are able to
> their own password using ctrl+alt+delete. However, why does it
> during login?
> I have already seen other people had similar issues on Windows
10, but I
> didn't find out if anybody ever found a solution to this problem.
> I am happy for any hints.
I have experienced exactly the same issue (also on 4.18.6). Even with
kinit on Linux you cannot change an expired password.
To unsubscribe from this list go to the following URL and read the
More information about the samba