[Samba] Users unable to reset passwords

[Mark Foley]

I first reported this problem on this list in July, 2024. Rowland suggest I post
a bug report on https://bugzilla.samba.org/createaccount-save.html, which I did
in November, 2024, but I've heard nothing back on that and don't know how to
look up bugs to see if mine was posted.

I'm going to summarize the problems, then solicit advice.

Back in Q1, 2024 we upgraded our DC from Samba 4.8.2 to the then (Slackware
distro) latest samba-4.15.5 and "upgraded" all office Windows workstation domain
members to Windows 11. We had none of these issues with Samba 4.8.2 and Windows
10. All problems listed below worked perfectly on those versions.

We are currently running Samba Version 4.18.9.

Here is my list of problem with Samba 4.18.9 and/or Windows 11.

PASSWORDS:

On the Windows workstations, not all users get notified that their password is
about to expire.  If they don't change it in time, when it does expire, they
cannot change it.  They keep getting the message, "your password has expired."
As the system administrator I have to use samba-tool or ADUC to manually reset
their password.  I have had to do this every 90 days since the upgrade in Q1
2024. 

If I do reset their passwords, they cannot change them to something private
until the next day. I assume this is because of "Minimum password age (days):
1". However, if I set that to 0 days they can't change their password at all.

Windows Group Policy settings have passwords set to expire in 90 days. Samba
settings are:

# samba-tool domain passwordsettings show
Password information for domain 'DC=hprs,DC=local'

Password complexity: off
Store plaintext passwords: off
Password history length: 5
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 90
Account lockout duration (mins): 15
Account lockout threshold (attempts): 10
Reset account lockout after (mins): 30

REDIRECTED FOLDERS

With Samba 4.8.2 and Windows 10 the users redirected Desktop, Documents, etc. 
was automatically created when the user logged in for the first time.  That no
longer works.  Even established users under Windows 10 did not get access to
their redirected folders after ugrading.  Their Desktop, etc.  was set to their
local workstation, as if there were no Redirected Folder Policy at all.  The
Group Policy Redirected Folders is unchanged since Windows 10 and I've confirmed
with Microsoft that the policy is set properly. 

I've manually pointed users' Desktop to \\mail.hprs.local\Users\username\Desktop
and that has worked for most users, but not for all. In my most recent attempt
to "move" a user's Desktop I got the errors "No items match your search" or
""Desktop / No object for Moniker". I do have some things to try on these
errors, but the point is, I didn't have to manually move folders to a user's
Redirected Folder before the upgrade.

Looking for advice ...

There are two things I can think of to try:

1. Perhaps there is a more recent version of Samba. I can go to "samba.org > get
Samba" and get the current version. I did that many years ago. Perhaps a newer
version will fix the problem?

2. I can stage a Windows Server AD/DC on a standalone domain and join a Windows
11 computer. I'm guessing that Windows-shop users don't have this problem, but I
need to do that test to determine whether the problem is will Samba or Windows
11.

Does anyone else have any thoughts?

Has anyone else experienced these problems?

Christian Naumer reported on this maillist on 26 Jul 2024 that his organization
experienced the same password problem 1 or 2 years before and opined that it was
a Samba bug.  They discontinued using the auto-expiry feature of Windows and
just do things manually.  Not really the solution I'm looking for. 

Does anyone use Redirected Folders? Problems?

Thanks in advance for responses.

--Mark