[Samba] Users unable to reset passwords

Rowland Penny rpenny at samba.org
Mon Jul 22 16:55:56 UTC 2024 

On Mon, 22 Jul 2024 12:09:45 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> On Mon, 22 Apr 2024 08:56:41 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > New related issue.
> > 
> > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days
> > ago, and set the 'Maximum password age' to 90 days. Today, two of
> > the users' passwords were expired when they tried to log in this
> > morning. They got the messaage that their password was expired and
> > to change it, but when doing so they keep getting "your password
> > has expired." 
> > 
> > I've reset 3 people's passwords so far today. This worked without
> > problem on 4.8.2. Yes, they did get the Windows notice that their
> > password was expiring in x days, but they didn't act on that.
> > 
> > Any idea how to fix this? 
> 
> It's been another 90 days and passwords are expiring. I'm back to
> investigating this issue.
> 
> 1. Most people are not getting the "your password expires in X days"
> message on their Windows 11 workstations. I've looked in 'samba-tool
> user show <user>' and 'samba-tool domain passwordsettings show' and
> don't see where this setting is defined.
> 
> 2. More importantly, when their password expires, they get the normal
> Windows "Your Password has expired" dialogue with "Password", "New
> password", "Confirm password". When users fill in this info and click
> the arrow beside "Confirm password", it simply repaints the form and
> never lets them in. The same happens to me so I know it's not just
> user error. 
> 
> In ADUC > Users, no boxes are checked under "Account options" and
> "Account expires" is set to 'never'. 
> 
> This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to
> Samba 4.18.9, and from Windows 10 to Windows 11 on the workstations.
> Users have never since been able to set their passwords once expired.
> I have to do so for each user with 'samba-tool user setpassword
> <user>'. This used to work fine on 4.8.2. We need to get this fixed.
> 
> Suggestions?
> 
> Thanks --Mark
> 
> 

I wonder if this has anything to do with the AD password settings, what
does this show when run on a DC:

sudo samba-tool domain passwordsettings show

Rowland

More information about the samba mailing list