[Samba] Samba AD DC: users cannot change expired passwords

Rowland Penny rpenny at samba.org
Mon Sep 25 14:39:43 UTC 2023

On Mon, 25 Sep 2023 15:45:23 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:

> Now it becomes really interesting:
> I just tested what happens when I set "the user must change the
> password on the next login". Then, on my Samba domain controller, I
> used
> kinit <the user name>
> and entered the current password. Surprisinlgy, I got the message
> from Kerberos
> "Password for the user is expired. You must change it now."
> And I can change the password! afterwards, when I go back to "Active 
> Directory Users and Computers", the tick mark at "user must change 
> password at next login" is gone. So at least Kerberos behaves totally 
> correctly and the password is also changed correctly.
> Tobias

This is getting very confusing, for a start I received a post via the
samba mailing list that is supposed to come from Kees van Vloten, but
it is signed by Tobias ????????

There are three attributes in play here:

unicodePwd: This is where a users password is stored
pwdLastSet: This is set to '0' to force the user to change their
userAccountControl: This does many things, but one is that it can set
PASSWORD_EXPIRED if 8388608 is contained in the value set on this

I am not sure what is going wrong here, but the only thing that I can
see that might be relevant to the 4.18.x series is a CVE that was added
at 4.18.1, see here for more details:


It might be relevant, but then it might not.

Is there anything in the event logs on the client or in the DCs logs
(you may need to turn up the loglevel) ?


More information about the samba mailing list