[Samba] Users/admin unable to reset passwords

Mark Foley mfoley at novatec-inc.com
Mon Apr 29 14:35:49 UTC 2024 

On Thu Apr 25 05:02:39 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Mon, 22 Apr 2024 08:56:41 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > New related issue.
> > 
> > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days
> > ago, and set the 'Maximum password age' to 90 days. Today, two of the
> > users' passwords were expired when they tried to log in this morning.
> > They got the messaage that their password was expired and to change
> > it, but when doing so they keep getting "your password has expired." 
> > 
> > I've reset 3 people's passwords so far today. This worked without
> > problem on 4.8.2. Yes, they did get the Windows notice that their
> > password was expiring in x days, but they didn't act on that.
> > 
> > Any idea how to fix this? 
> > 
> >
>
> When setting a users password The basic command is
> 'samba-tool setpassword <username>', to which you can add the new
> password with '--newpassword=passw0rd'. If you do not supply a
> password, you will be prompted for it (twice). You can also add
> '--must-change-at-next-login', which is supposed to make the user
> change their password at the next logon.
>
> How does the '--must-change-at-next-login' switch work ?
> If the switch is set, it just sets the users 'pwdLastSet' attribute to
> '0', at which point, the Windows code should kick in and prompt the
> user to change their password, then set the users 'unicodePwd'
> attribute to basically a base64 hash of the supplied password and
> resets the users 'pwdLastSet' attribute to the date and time that the
> password was changed. 
>
> I suggest you set a test user to change their password at next login
> and then check the users 'pwdLastSet' attribute, it should contain '0'.
> Next, attempt to logon as the user and when prompted, change the
> password, if this works, OK, but if not, check the users 'pwdLastSet'
> attribute again, what does it contain now ?
>
> Rowland

I just had another user with an expired password who could not reset his
password. He got a notification on his Windows 11 workstation last week that his
password was expiring, but he forgot to change it.

When he came in this morning he got a notice when trying to log in: "The
password for this account has expired." Clicking "OK" prompted him to enter his
current/expired password, then a new password, then confirm the new password. 
After doing this he again got the message, "The password for this account has
expired." In short, he could not reset his password. He tried several times.

The following is his pdbedit info from the DC:

# pdbedit -u johnd -v 
Unix username:        johnd
NT username:          
Account Flags:        [U          ]
User SID:             S-1-5-21-1179323223-1906255692-291620936-1127
Primary Group SID:    S-1-5-21-1179323223-1906255692-291620936-513
Full Name:            John Doe
Home Directory:       
HomeDir Drive:        (null)
Logon Script:         
Profile Path:         
Domain:               
Account desc:         Operations Manager
Workstations:         
Munged dial:          
Logon time:           Fri, 26 Apr 2024 12:52:06 EDT
Logoff time:          0
Kickoff time:         Wed, 13 Sep 30828 22:48:05 EDT
Password last set:    Mon, 29 Jan 2024 14:02:07 EST
Password can change:  Mon, 29 Jan 2024 14:02:07 EST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

I did not find your mentioned 'pwdLastSet' specified as such, but I assume that
is the same as 'Password last set' in the above list.

Very curious, 'Password must change' is set to "Never".  I also checked ADUC for
this user on the Windows admin host and it is also set to 'Account expires'
"Never". 

So, why is he a) being notified several days ahead to change his password and b)
being required to change his password?

Most importantly, why is it not accepting his new password change?

This never happened the previous Samba 4.8.2 DC.

I was able to change his password with 'samba-tool user setpassword', and he was
then able to change it again once he logged in.

--Mark

More information about the samba mailing list