[Samba] Users unable to reset passwords

Mark Foley mfoley at novatec-inc.com
Thu Jul 25 20:15:14 UTC 2024 

On Mon Jul 22 13:33:05 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Mon, 22 Jul 2024 13:06:56 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Mon Jul 22 12:57:03 2024 Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > 
> > > On Mon, 22 Jul 2024 12:09:45 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > > On Mon, 22 Apr 2024 08:56:41 -0400
> > > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > > >
> > > > > New related issue.
> > > > > 
> > > > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90
> > > > > days ago, and set the 'Maximum password age' to 90 days. Today,
> > > > > two of the users' passwords were expired when they tried to log
> > > > > in this morning. They got the messaage that their password was
> > > > > expired and to change it, but when doing so they keep getting
> > > > > "your password has expired." 
> > > > > 
> > > > > I've reset 3 people's passwords so far today. This worked
> > > > > without problem on 4.8.2. Yes, they did get the Windows notice
> > > > > that their password was expiring in x days, but they didn't act
> > > > > on that.
> > > > > 
> > > > > Any idea how to fix this? 
> > > > 
> > > > It's been another 90 days and passwords are expiring. I'm back to
> > > > investigating this issue.
> > > > 
> > > > 1. Most people are not getting the "your password expires in X
> > > > days" message on their Windows 11 workstations. I've looked in
> > > > 'samba-tool user show <user>' and 'samba-tool domain
> > > > passwordsettings show' and don't see where this setting is
> > > > defined.
> > > > 
> > > > 2. More importantly, when their password expires, they get the
> > > > normal Windows "Your Password has expired" dialogue with
> > > > "Password", "New password", "Confirm password". When users fill
> > > > in this info and click the arrow beside "Confirm password", it
> > > > simply repaints the form and never lets them in. The same happens
> > > > to me so I know it's not just user error. 
> > > > 
> > > > In ADUC > Users, no boxes are checked under "Account options" and
> > > > "Account expires" is set to 'never'. 
> > > > 
> > > > This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to
> > > > Samba 4.18.9, and from Windows 10 to Windows 11 on the
> > > > workstations. Users have never since been able to set their
> > > > passwords once expired. I have to do so for each user with
> > > > 'samba-tool user setpassword <user>'. This used to work fine on
> > > > 4.8.2. We need to get this fixed.
> > > > 
> > > > Suggestions?
> > > > 
> > > > Thanks --Mark
> > > > 
> > > > 
> > >
> > > I wonder if this has anything to do with the AD password settings,
> > > what does this show when run on a DC:
> > >
> > > sudo samba-tool domain passwordsettings show
> > >
> > > Rowland
> > 
> > # sudo samba-tool domain passwordsettings show
> > Password information for domain 'DC=hprs,DC=local'
> > 
> > Password complexity: on
> > Store plaintext passwords: off
> > Password history length: 10
> > Minimum password length: 7
> > Minimum password age (days): 0
> > Maximum password age (days): 90
> > Account lockout duration (mins): 5
> > Account lockout threshold (attempts): 10
> > Reset account lockout after (mins): 30
> > 
>
> There doesn't seem to be anything wrong there, I wondered if the
> minimum password age was larger than the maximum password age.
>
> You can stop a user being able to change their password by altering the
> required permission from 'allow' to 'deny', this can be on individual
> users or an entire OU.
> Try checking a users Account tab and see if 'User cannot change
> password' is checked. Not sure how you do it for an OU, but it is
> probably something similar.
>
> Rowland

Sorry for the delay. I manage this machine remotely and Remote Desktop does not
let you change an expired password, so I had to go onsite.

On the ADUC dialogue for my domain user the Account options are:

User must change password at next login
User cannot change password
Password never expires
Store password using reversible encryption
Account is disabled
Smart card is required for interactive logon
Account is sensitive and cannot be delegated
Use only Kerberos DES encryption types for this account
This account supports Kerberos AES 128 bit encryption
This account supports Kerberos AES 256 bit encryption
Do not require Kerberos preauthentication.

All of these are un-checked. 

With samba-tool I changed Minimum password age (days): 1, which I think is what
you were suggesting.

On ADUC, I checked "User must change password at next login", then I tried to log
into a Windows 11 workstation. I got the message "The password for this account
has expired", as expected, and a dialogue box asking me to enter and confirm a
new password. I did so, but it did not take the new password and kept sycling
back to the "The password for this account has expired" dialog.

As it stands, users can change their passwords at any time, so long as it's not
expired or their account is not marked "User must change password at next
login". If a user let's his/her password expire, I have to change it manually
via ADUC or samba-tool.

Other thoughts? I suppose this could be a Windows things, but then I would
expect this problem to be pretty pervasive.

Thanks --Mark

More information about the samba mailing list