[Samba] Users/admin unable to reset passwords

Rowland Penny rpenny at samba.org
Mon Apr 29 14:55:15 UTC 2024


On Mon, 29 Apr 2024 10:35:49 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> On Thu Apr 25 05:02:39 2024 Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> >
> > On Mon, 22 Apr 2024 08:56:41 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > New related issue.
> > > 
> > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90
> > > days ago, and set the 'Maximum password age' to 90 days. Today,
> > > two of the users' passwords were expired when they tried to log
> > > in this morning. They got the messaage that their password was
> > > expired and to change it, but when doing so they keep getting
> > > "your password has expired." 
> > > 
> > > I've reset 3 people's passwords so far today. This worked without
> > > problem on 4.8.2. Yes, they did get the Windows notice that their
> > > password was expiring in x days, but they didn't act on that.
> > > 
> > > Any idea how to fix this? 
> > > 
> > >
> >
> > When setting a users password The basic command is
> > 'samba-tool setpassword <username>', to which you can add the new
> > password with '--newpassword=passw0rd'. If you do not supply a
> > password, you will be prompted for it (twice). You can also add
> > '--must-change-at-next-login', which is supposed to make the user
> > change their password at the next logon.
> >
> > How does the '--must-change-at-next-login' switch work ?
> > If the switch is set, it just sets the users 'pwdLastSet' attribute
> > to '0', at which point, the Windows code should kick in and prompt
> > the user to change their password, then set the users 'unicodePwd'
> > attribute to basically a base64 hash of the supplied password and
> > resets the users 'pwdLastSet' attribute to the date and time that
> > the password was changed. 
> >
> > I suggest you set a test user to change their password at next login
> > and then check the users 'pwdLastSet' attribute, it should contain
> > '0'. Next, attempt to logon as the user and when prompted, change
> > the password, if this works, OK, but if not, check the users
> > 'pwdLastSet' attribute again, what does it contain now ?
> >
> > Rowland
> 
> I just had another user with an expired password who could not reset
> his password. He got a notification on his Windows 11 workstation
> last week that his password was expiring, but he forgot to change it.
> 
> When he came in this morning he got a notice when trying to log in:
> "The password for this account has expired." Clicking "OK" prompted
> him to enter his current/expired password, then a new password, then
> confirm the new password. After doing this he again got the message,
> "The password for this account has expired." In short, he could not
> reset his password. He tried several times.
> 
> The following is his pdbedit info from the DC:
> 
> # pdbedit -u johnd -v 
> Unix username:        johnd
> NT username:          
> Account Flags:        [U          ]
> User SID:             S-1-5-21-1179323223-1906255692-291620936-1127
> Primary Group SID:    S-1-5-21-1179323223-1906255692-291620936-513
> Full Name:            John Doe
> Home Directory:       
> HomeDir Drive:        (null)
> Logon Script:         
> Profile Path:         
> Domain:               
> Account desc:         Operations Manager
> Workstations:         
> Munged dial:          
> Logon time:           Fri, 26 Apr 2024 12:52:06 EDT
> Logoff time:          0
> Kickoff time:         Wed, 13 Sep 30828 22:48:05 EDT
> Password last set:    Mon, 29 Jan 2024 14:02:07 EST
> Password can change:  Mon, 29 Jan 2024 14:02:07 EST
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> 
> I did not find your mentioned 'pwdLastSet' specified as such, but I
> assume that is the same as 'Password last set' in the above list.

You will not find it using pdbedit, you will need to use ldapsearch,
ldbedit or ldbsearch to find it, it is an AD attribute.

> 
> Very curious, 'Password must change' is set to "Never".  I also
> checked ADUC for this user on the Windows admin host and it is also
> set to 'Account expires' "Never". 

AD uses 'pwdLastSet' along with whatever has been set as the domain
maximum password age to calculate when the password must be changed,
this appears to be working, what doesn't appear to be working is the
actual password change.

If you set 'user must change password at next logon', then 'pwdLastSet'
is set to 0, this is what forces the AD user to change their password.

To get the password settings on a DC, run:
sudo samba-tool domain passwordsettings show -Uadministrator

How are the users changing their password, on what OS and version.

Rowland



More information about the samba mailing list