[Samba] Users unable to reset passwords

Mark Foley mfoley at novatec-inc.com
Tue Jul 30 07:18:04 UTC 2024 

On samba-bounces at lists.samba.org  Thu Jul 25 16:15:45 2024 Mark Foley via samba <samba at lists.samba.org> wrote:
>
> On Mon Jul 22 13:33:05 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> > On Mon, 22 Jul 2024 13:06:56 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > On Mon Jul 22 12:57:03 2024 Rowland Penny via samba
> > > <samba at lists.samba.org> wrote:
> > > 
> > > > On Mon, 22 Jul 2024 12:09:45 -0400
> > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > >
> > > > > On Mon, 22 Apr 2024 08:56:41 -0400
> > > > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > > > >
> > > > > > New related issue.
> > > > > > 
> > > > > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90
> > > > > > days ago, and set the 'Maximum password age' to 90 days. Today,
> > > > > > two of the users' passwords were expired when they tried to log
> > > > > > in this morning. They got the messaage that their password was
> > > > > > expired and to change it, but when doing so they keep getting
> > > > > > "your password has expired." 
> > > > > > 
> > > > > > I've reset 3 people's passwords so far today. This worked
> > > > > > without problem on 4.8.2. Yes, they did get the Windows notice
> > > > > > that their password was expiring in x days, but they didn't act
> > > > > > on that.
> > > > > > 
> > > > > > Any idea how to fix this? 
> > > > > 
> > > > > It's been another 90 days and passwords are expiring. I'm back to
> > > > > investigating this issue.
> > > > > 
> > > > > 1. Most people are not getting the "your password expires in X
> > > > > days" message on their Windows 11 workstations. I've looked in
> > > > > 'samba-tool user show <user>' and 'samba-tool domain
> > > > > passwordsettings show' and don't see where this setting is
> > > > > defined.
> > > > > 
> > > > > 2. More importantly, when their password expires, they get the
> > > > > normal Windows "Your Password has expired" dialogue with
> > > > > "Password", "New password", "Confirm password". When users fill
> > > > > in this info and click the arrow beside "Confirm password", it
> > > > > simply repaints the form and never lets them in. The same happens
> > > > > to me so I know it's not just user error. 
> > > > > 
> > > > > In ADUC > Users, no boxes are checked under "Account options" and
> > > > > "Account expires" is set to 'never'. 
> > > > > 
> > > > > This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to
> > > > > Samba 4.18.9, and from Windows 10 to Windows 11 on the
> > > > > workstations. Users have never since been able to set their
> > > > > passwords once expired. I have to do so for each user with
> > > > > 'samba-tool user setpassword <user>'. This used to work fine on
> > > > > 4.8.2. We need to get this fixed.
> > > > > 
> > > > > Suggestions?
> > > > > 
> > > > > Thanks --Mark
> > > >
> > > > I wonder if this has anything to do with the AD password settings,
> > > > what does this show when run on a DC:
> > > >
> > > > sudo samba-tool domain passwordsettings show
> > > >
> > > > Rowland
> > > 
> > > # sudo samba-tool domain passwordsettings show
> > > Password information for domain 'DC=hprs,DC=local'
> > > 
> > > Password complexity: on
> > > Store plaintext passwords: off
> > > Password history length: 10
> > > Minimum password length: 7
> > > Minimum password age (days): 0
> > > Maximum password age (days): 90
> > > Account lockout duration (mins): 5
> > > Account lockout threshold (attempts): 10
> > > Reset account lockout after (mins): 30
> > > 
> >
> > There doesn't seem to be anything wrong there, I wondered if the
> > minimum password age was larger than the maximum password age.
> >
> > You can stop a user being able to change their password by altering the
> > required permission from 'allow' to 'deny', this can be on individual
> > users or an entire OU.
> > Try checking a users Account tab and see if 'User cannot change
> > password' is checked. Not sure how you do it for an OU, but it is
> > probably something similar.
> >
> > Rowland
>
> Sorry for the delay. I manage this machine remotely and Remote Desktop does not
> let you change an expired password, so I had to go onsite.
>
> On the ADUC dialogue for my domain user the Account options are:
>
> User must change password at next login
> User cannot change password
> Password never expires
> Store password using reversible encryption
> Account is disabled
> Smart card is required for interactive logon
> Account is sensitive and cannot be delegated
> Use only Kerberos DES encryption types for this account
> This account supports Kerberos AES 128 bit encryption
> This account supports Kerberos AES 256 bit encryption
> Do not require Kerberos preauthentication.
>
> All of these are un-checked. 
>
> With samba-tool I changed Minimum password age (days): 1, which I think is what
> you were suggesting.
>
> On ADUC, I checked "User must change password at next login", then I tried to log
> into a Windows 11 workstation. I got the message "The password for this account
> has expired", as expected, and a dialogue box asking me to enter and confirm a
> new password. I did so, but it did not take the new password and kept cycling
> back to the "The password for this account has expired" dialog.
>
> As it stands, users can change their passwords at any time, so long as it's not
> expired or their account is not marked "User must change password at next
> login". If a user let's his/her password expire, I have to change it manually
> via ADUC or samba-tool.
>
> Other thoughts? I suppose this could be a Windows things, but then I would
> expect this problem to be pretty pervasive.
>
> Thanks --Mark
>
> Am 25.07.24 um 22:15 schrieb Mark Foley via samba:
>
> [deleted]
> 
> I think this has been the case for some time. We also had some issues 
> with this 1-2 years ago. On this list the topic pops up from time to 
> time but it is never solved. I really think it is a Samba bug but nobody 
> has been able to proof this.
> In the end we decided to go for longer passwords more complex and stop 
> the expiry.
> 
> Regards
> 
> Christian

So, at least one other user on this list has reported the same problem
(Christian) and he indicates that this problem "On this list the topic pops up
from time to time but it is never solved." So he's not the only one besides me. 
He *solved* it by setting no expiry on the passwords, which is an unacceptable
work-around, not a solution. 

No one has reported that they don't have a problem with password expirations. 
It is doubtful that it's a Windows 11 problem or thousands of Windows users
would be howling.  I have an associate who admin's a Windows domain, no Samba,
and he has no such issue. 

The conclusion must be that it is a Samba bug with this version. As I
mentioned, I did not have this issue with Samba 4.8.2. 

So, how does one report a bug to the Samba development team?

THX --Mark

More information about the samba mailing list