[Samba] Users unable to reset passwords

Mark Foley mfoley at novatec-inc.com
Mon Jun 2 21:33:30 UTC 2025 

On Wed May 21 02:51:51 2025 Luis Peromarta via samba <samba at lists.samba.org> wrote:
>
> In 20 minutes.
>
> http://samba.bigbird.es/doku.php?id=samba:start
> On 21 May 2025 at 08:13 +0200, samba at lists.samba.org <samba at lists.samba.org>, wrote:
>
>
> >
> >
> > I will repeat this, I suggest you move away from slackware to Debian,
> > if only to save time, you could have had a known fully working Debian
> > DC days ago.

I've downloaded the Debian DVD, just in case. However, I was determined to see
my test plan through. Which I have at this point. To recap, I'm trying to solve
two problems:

1) Users are set to "change password on next login" or when passwords expire on
the Windows 11 workstations the users cannot reset their passwords.  As sysadmin
I have to do that through either ADUC or samba-tool. 

2) The Redirected Folders Group Policy does not work. Users' Desktops do not get
directed as the Policy specifies. I have to specifically set the location for each
user's Desktop and other redirected folders.

Both of these features used to work just fine with Samba 4.8.2 and Windows 10.
Other Group Policies (e.g. Remote Access) still work fine.

As mentioned in previous posts on this thread, I am using Slackware. Slackware
is a pretty basic distro and, although I've posted numerous threads to this list
over the past decade, few of them have been Slackware specific. 

In this case the current Slackware distro version of Samba, 4.18.9, is older
than the latest version, 4.22.1, so I thought maybe thing would be "fixed" in
this regard with a newer Samba version. 

So, I installed Samba 4.22.1 on a clean install of Slackware being careful to
remove the Slackware-native Samba package. Everything worked just fine and the
new DC passed all tests as outlined in the wiki. I joined a Windows 11
workstation to this mini Domain. I created the Redirected Folders Group Policy
per Windows' specifications. I created two new users setting their password
timeouts to 2 days.

Results:

Even with the new Samba version these two problems still exist. I will try again
to open a bug report on this.

I've been posting on this list on these problems for the past year and no one on
this list has reported that they use the Redirected Folder Policy and that it
works fine for them ... or not. Perhaps not a feature used by list members.

The only comment I've received with respect to passwords working or not was from
Christian last August, 2024:

  "I think this has been the case for some time.  We also had some issues with this
  1-2 years ago.  On this list the topic pops up from time to time but it is never
  solved.  I really think it is a Samba bug but nobody has been able to proof
  this.  In the end we decided to go for longer passwords more complex and stop
  the expiry.

  Regards, Christian"

Perhaps this is a consequence of the newer Samba versions not playing well with
Windows 11.  Domain users do not have Linux accounts so I can't say whether this
is an issue other than with Windows, but it is an issue with Window.  It would
be interest to continue the experiment joining a Windows 10 computer.  I may try
that sometime, if I can find a Windows 10 computer. 

For the time being, I'm going to adopt Christian's solution and stop the expiry
and send quarterly notifications to users to change their password, which they
can do successfully with CTRL-ALT-DEL.

As to Debian (if you've read this far), I really don't suspect Slackware as
being the problem here. I do not plan on switching all the servers from
Slackware to Debian any time soon (maybe my successor ...). There is too much
customization with mail milters, intrustion detection and counter-measure
scripts, numerous custom /etc/rc.d start-up scripts, etc., and it would be a
learning curve to adapt all that to Debian. A learning curve I really don't want
to get into right now without being sure Debian somehow solves these problems
and thus far no one has given me assurance that these Group Policy and password
issues are no problem with Debian.

These problems are annoying, but using Christian's work-around on passwords and
manually changing the location of Windows Desktop etc. to the designated redirected
folders will make things work. The Redirected Folder changes only need be done
with a new user -- not a frequent occurance.

Thanks all for you input and patience. If I ever get any feedback from the bug
report I'll try whatever they suggest and post back. Otherwise, you won't have
to worry about more list messages on this topic ... from me!

--Mark

More information about the samba mailing list