[Samba] Users unable to reset passwords

[Jeffrey Walton]

On Mon, Jun 2, 2025 at 5:34 PM Mark Foley via samba
<samba at lists.samba.org> wrote:
>
> On Wed May 21 02:51:51 2025 Luis Peromarta via samba <samba at lists.samba.org> wrote:
> >
> > In 20 minutes.
> >
> > http://samba.bigbird.es/doku.php?id=samba:start
> > On 21 May 2025 at 08:13 +0200, samba at lists.samba.org <samba at lists.samba.org>, wrote:
> >
> >
> > >
> > >
> > > I will repeat this, I suggest you move away from slackware to Debian,
> > > if only to save time, you could have had a known fully working Debian
> > > DC days ago.
>
> I've downloaded the Debian DVD, just in case. However, I was determined to see
> my test plan through. Which I have at this point. To recap, I'm trying to solve
> two problems:
>
> 1) Users are set to "change password on next login" or when passwords expire on
> the Windows 11 workstations the users cannot reset their passwords.  As sysadmin
> I have to do that through either ADUC or samba-tool.
>
> 2) The Redirected Folders Group Policy does not work. Users' Desktops do not get
> directed as the Policy specifies. I have to specifically set the location for each
> user's Desktop and other redirected folders.
>
> Both of these features used to work just fine with Samba 4.8.2 and Windows 10.
> Other Group Policies (e.g. Remote Access) still work fine.
>
> As mentioned in previous posts on this thread, I am using Slackware. Slackware
> is a pretty basic distro and, although I've posted numerous threads to this list
> over the past decade, few of them have been Slackware specific.
>
> In this case the current Slackware distro version of Samba, 4.18.9, is older
> than the latest version, 4.22.1, so I thought maybe thing would be "fixed" in
> this regard with a newer Samba version.
>
> So, I installed Samba 4.22.1 on a clean install of Slackware being careful to
> remove the Slackware-native Samba package. Everything worked just fine and the
> new DC passed all tests as outlined in the wiki. I joined a Windows 11
> workstation to this mini Domain. I created the Redirected Folders Group Policy
> per Windows' specifications. I created two new users setting their password
> timeouts to 2 days.
>
> Results:
>
> Even with the new Samba version these two problems still exist. I will try again
> to open a bug report on this.
>
> I've been posting on this list on these problems for the past year and no one on
> this list has reported that they use the Redirected Folder Policy and that it
> works fine for them ... or not. Perhaps not a feature used by list members.
>
> The only comment I've received with respect to passwords working or not was from
> Christian last August, 2024:
>
>   "I think this has been the case for some time.  We also had some issues with this
>   1-2 years ago.  On this list the topic pops up from time to time but it is never
>   solved.  I really think it is a Samba bug but nobody has been able to proof
>   this.  In the end we decided to go for longer passwords more complex and stop
>   the expiry.
>
>   Regards, Christian"
>
> Perhaps this is a consequence of the newer Samba versions not playing well with
> Windows 11.  Domain users do not have Linux accounts so I can't say whether this
> is an issue other than with Windows, but it is an issue with Window.  It would
> be interest to continue the experiment joining a Windows 10 computer.  I may try
> that sometime, if I can find a Windows 10 computer.
>
> For the time being, I'm going to adopt Christian's solution and stop the expiry
> and send quarterly notifications to users to change their password, which they
> can do successfully with CTRL-ALT-DEL.

This is part of your problem. Antique password policies from the 1990s
based on numerology and not science.

Don't force users to change their passwords at all. Never throw away a
perfectly good secret. Only have them change them the password if it
is suspected to be compromised.

Forced password changes, and other useless crap like complexity
requirements, weakens security over time. As you grind on users every
quarter to change a strong password, users choose weaker and weaker
passwords that comply with policy until you are left with weak
passwords like P at ssword1.

If you are interested in the science, then read Peter Gutmann's
Engineering Security (Chapter 7 PASSWORDS) or NIST SP800-63b, Digital
Identity Guidelines. Gutmann's book is particularly well cited with
security and usability studies, and it dispels all the myths, like
password rotation and complexity.

> As to Debian (if you've read this far), I really don't suspect Slackware as
> being the problem here. I do not plan on switching all the servers from
> Slackware to Debian any time soon (maybe my successor ...). There is too much
> customization with mail milters, intrustion detection and counter-measure
> scripts, numerous custom /etc/rc.d start-up scripts, etc., and it would be a
> learning curve to adapt all that to Debian. A learning curve I really don't want
> to get into right now without being sure Debian somehow solves these problems
> and thus far no one has given me assurance that these Group Policy and password
> issues are no problem with Debian.
>
> These problems are annoying, but using Christian's work-around on passwords and
> manually changing the location of Windows Desktop etc. to the designated redirected
> folders will make things work. The Redirected Folder changes only need be done
> with a new user -- not a frequent occurance.
>
> Thanks all for you input and patience. If I ever get any feedback from the bug
> report I'll try whatever they suggest and post back. Otherwise, you won't have
> to worry about more list messages on this topic ... from me!

Jeff