samba - Jan 2015 - Windows users can't change password 4.1.6

Hello, 

When PDC was installed I remember that everybody could change thair passwords
after first 24h after password reset via admin console.
(I remamber that I was searching for this and even if GPO was min 0 days for
changing password you had to wait)
Anyway... Now noone is able to change password. 
When GPO tells you to change password after 30days, or you want to change it;
typing old password and new one
(something new, with few Upper and Lower chars, numbers and special char, more
than 8 lenght)
user get error about new password not being valid with GPO, but if he try to
enter old password and another new
the errors is about bad old password, the first new passwords is not working
too.

Hello Micha?,

Am 22.01.2015 um 07:13 schrieb Micha? P??rolniczak:
> When GPO tells you to change password after 30days, or you want to
> change it; ...

At first: You can't define password policies via GPO, because they have
to be interpreted by the domain controller(s) and Samba doesn't know
anything about GPOs and what to do with them. Set password stuff domain
wide via 'samba-tool domain passwordsettings'.

https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F



To find out, if there's another problem, we have to know more about the
situation: Does the password change says that it was successfully? What
do the logs say about the password change and when the user tries to
logon with the new password? And is the password usable, if you change
it via samba-tool/ADUC?


Regards,
Marc

Hello Marc,

W dniu 2015-01-22 o 20:17, Marc Muehlfeld pisze:
> Hello Micha?,
>
> Am 22.01.2015 um 07:13 schrieb Micha? P??rolniczak:
>> When GPO tells you to change password after 30days, or you want to
>> change it; ...
>
> At first: You can't define password policies via GPO, because they have
> to be interpreted by the domain controller(s) and Samba doesn't know
> anything about GPOs and what to do with them. Set password stuff domain
> wide via 'samba-tool domain passwordsettings'.
>
>
https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
>
I understand. I change local GPO on each station so it bypass the GPO 
which dont work like you said. Thats why it force users to change 
password after 30 days.
>
> To find out, if there's another problem, we have to know more about the
> situation: Does the password change says that it was successfully? What
> do the logs say about the password change and when the user tries to
> logon with the new password? And is the password usable, if you change
> it via samba-tool/ADUC?
>
>
> Regards,
> Marc
>
When changing password via Windows Logon it doesn't say it change it, it 
say that new password that I entered is not valid with password politic 
settings, and wasn't change.
But if you try to change the old password once more (even with the same 
password you enter right before) it say that the user name or password 
is invalid.
And you can not log anymore using old or new password.

Which log should I lookup when changing password? any specific command 
to use it in debug mode? Im using the ubuntu repo samba 4.1.6