[Samba] Samba AD DC: users cannot change expired passwords

Kees van Vloten keesvanvloten at gmail.com
Mon Sep 25 13:45:23 UTC 2023

Now it becomes really interesting:
I just tested what happens when I set "the user must change the password 
on the next login". Then, on my Samba domain controller, I used

kinit <the user name>

and entered the current password. Surprisinlgy, I got the message from 

"Password for the user is expired. You must change it now."

And I can change the password! afterwards, when I go back to "Active 
Directory Users and Computers", the tick mark at "user must change 
password at next login" is gone. So at least Kerberos behaves totally 
correctly and the password is also changed correctly.


On Mon, Sep 25, 2023 at 1:20 PM Kees van Vloten via samba 
<samba at lists.samba.org> wrote:

    Op 25-09-2023 om 11:54 schreef Pluess, Tobias via samba:
     >   Hi all,
     > I am running a Samba AD DC (version 4.18.6). It basically works
    very well.
     > However when testing, I found the following issue:
     > I create a new user account in AD, provide an initial password
    and set
     > "user must change the password at the next login".
     > I have only a Windows 10 machine to test, so I am going to the
    Windows 10
     > machine and try to login with the newly created user account and
     > password. Windows then correctly display "the password is
    expired" and
     > provides a dialog to enter the new password. However when the new
     > is entered and confirmed with "OK", I get again the message "the
     > is expired". No matter what, I cannot get around this message and
    the newly
     > created user is never able to log in.
     > Further, what is even more strange is, that I can even get the
     > about the expired password when I enter something completely
    different than
     > the initial password. I can essentially enter anything, even a blank
     > password,  and get the message "the password is expired" and I am
     > able to change it.
     > Only when I log in as the domain admin, I can reset the user's
     > I already changed password history and min-password-age and so on
    to 0, but
     > it still does not yet work. However, luckily, users are able to
     > their own password using ctrl+alt+delete. However, why does it
    not work
     > during login?
     > I have already seen other people had similar issues on Windows
    10, but I
     > didn't find out if anybody ever found a solution to this problem.
     > I am happy for any hints.
     > Thanks,
     > best
     > Tobias
    I have experienced exactly the same issue (also on 4.18.6). Even with
    kinit on Linux you cannot change an expired password.

    - Kees.

    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list