[Samba] Users unable to reset passwords
Rowland Penny
rpenny at samba.org
Mon Jul 22 17:32:41 UTC 2024
On Mon, 22 Jul 2024 13:06:56 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Mon Jul 22 12:57:03 2024 Rowland Penny via samba
> <samba at lists.samba.org> wrote:
>
> > On Mon, 22 Jul 2024 12:09:45 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > On Mon, 22 Apr 2024 08:56:41 -0400
> > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > >
> > > > New related issue.
> > > >
> > > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90
> > > > days ago, and set the 'Maximum password age' to 90 days. Today,
> > > > two of the users' passwords were expired when they tried to log
> > > > in this morning. They got the messaage that their password was
> > > > expired and to change it, but when doing so they keep getting
> > > > "your password has expired."
> > > >
> > > > I've reset 3 people's passwords so far today. This worked
> > > > without problem on 4.8.2. Yes, they did get the Windows notice
> > > > that their password was expiring in x days, but they didn't act
> > > > on that.
> > > >
> > > > Any idea how to fix this?
> > >
> > > It's been another 90 days and passwords are expiring. I'm back to
> > > investigating this issue.
> > >
> > > 1. Most people are not getting the "your password expires in X
> > > days" message on their Windows 11 workstations. I've looked in
> > > 'samba-tool user show <user>' and 'samba-tool domain
> > > passwordsettings show' and don't see where this setting is
> > > defined.
> > >
> > > 2. More importantly, when their password expires, they get the
> > > normal Windows "Your Password has expired" dialogue with
> > > "Password", "New password", "Confirm password". When users fill
> > > in this info and click the arrow beside "Confirm password", it
> > > simply repaints the form and never lets them in. The same happens
> > > to me so I know it's not just user error.
> > >
> > > In ADUC > Users, no boxes are checked under "Account options" and
> > > "Account expires" is set to 'never'.
> > >
> > > This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to
> > > Samba 4.18.9, and from Windows 10 to Windows 11 on the
> > > workstations. Users have never since been able to set their
> > > passwords once expired. I have to do so for each user with
> > > 'samba-tool user setpassword <user>'. This used to work fine on
> > > 4.8.2. We need to get this fixed.
> > >
> > > Suggestions?
> > >
> > > Thanks --Mark
> > >
> > >
> >
> > I wonder if this has anything to do with the AD password settings,
> > what does this show when run on a DC:
> >
> > sudo samba-tool domain passwordsettings show
> >
> > Rowland
>
> # sudo samba-tool domain passwordsettings show
> Password information for domain 'DC=hprs,DC=local'
>
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 10
> Minimum password length: 7
> Minimum password age (days): 0
> Maximum password age (days): 90
> Account lockout duration (mins): 5
> Account lockout threshold (attempts): 10
> Reset account lockout after (mins): 30
>
There doesn't seem to be anything wrong there, I wondered if the
minimum password age was larger than the maximum password age.
You can stop a user being able to change their password by altering the
required permission from 'allow' to 'deny', this can be on individual
users or an entire OU.
Try checking a users Account tab and see if 'User cannot change
password' is checked. Not sure how you do it for an OU, but it is
probably something similar.
Rowland
More information about the samba
mailing list