[Samba] Users unable to reset passwords

Mark Foley mfoley at novatec-inc.com
Mon Jul 22 17:06:56 UTC 2024 

On Mon Jul 22 12:57:03 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Mon, 22 Jul 2024 12:09:45 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Mon, 22 Apr 2024 08:56:41 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > New related issue.
> > > 
> > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days
> > > ago, and set the 'Maximum password age' to 90 days. Today, two of
> > > the users' passwords were expired when they tried to log in this
> > > morning. They got the messaage that their password was expired and
> > > to change it, but when doing so they keep getting "your password
> > > has expired." 
> > > 
> > > I've reset 3 people's passwords so far today. This worked without
> > > problem on 4.8.2. Yes, they did get the Windows notice that their
> > > password was expiring in x days, but they didn't act on that.
> > > 
> > > Any idea how to fix this? 
> > 
> > It's been another 90 days and passwords are expiring. I'm back to
> > investigating this issue.
> > 
> > 1. Most people are not getting the "your password expires in X days"
> > message on their Windows 11 workstations. I've looked in 'samba-tool
> > user show <user>' and 'samba-tool domain passwordsettings show' and
> > don't see where this setting is defined.
> > 
> > 2. More importantly, when their password expires, they get the normal
> > Windows "Your Password has expired" dialogue with "Password", "New
> > password", "Confirm password". When users fill in this info and click
> > the arrow beside "Confirm password", it simply repaints the form and
> > never lets them in. The same happens to me so I know it's not just
> > user error. 
> > 
> > In ADUC > Users, no boxes are checked under "Account options" and
> > "Account expires" is set to 'never'. 
> > 
> > This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to
> > Samba 4.18.9, and from Windows 10 to Windows 11 on the workstations.
> > Users have never since been able to set their passwords once expired.
> > I have to do so for each user with 'samba-tool user setpassword
> > <user>'. This used to work fine on 4.8.2. We need to get this fixed.
> > 
> > Suggestions?
> > 
> > Thanks --Mark
> > 
> > 
>
> I wonder if this has anything to do with the AD password settings, what
> does this show when run on a DC:
>
> sudo samba-tool domain passwordsettings show
>
> Rowland

# sudo samba-tool domain passwordsettings show
Password information for domain 'DC=hprs,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 10
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 90
Account lockout duration (mins): 5
Account lockout threshold (attempts): 10
Reset account lockout after (mins): 30

More information about the samba mailing list