samba - Apr 2017 - parameter "Password must change" doesn't work correctly

Hi,

I have problem with samba in AD domain mode. When I change parameter
"Password must change" to 0 for some users windows doesn't open
dialog for
password changing during first login. User login to windows with expired
password and cannot open network shares. For users it is confusing. After
second login of same user, dialog for pasword change shows and user can
change password. In LDAP looks everything fine. I didn't find difference
between user where works "password must change" on first login and the
user
where "password must change" doesn't work on first login.
Do you have some idea?

My configuration:

Samba AD PDC
Version 4.3.13

smb.conf
[global]
        workgroup = DOMAIN
        realm = domain.com
        netbios name = server
        interfaces = lo eth0
        bind interfaces only = Yes
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        log level = 3
        log file = /var/log/samba/log.%U

pdbedit list of problem user

Unix username:        petr.sevcik
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-0934500099-2342309098-6523098409-1130
Primary Group SID:    S-1-5-21-0934500099-2342309098-6523098409-513
Full Name:            Sevcik
Home Directory:
HomeDir Drive:        (null)
Logon Script:
Profile Path:
Domain:
Account desc:
Workstations:
Munged dial:
Logon time:           St, 05 04 2017 05:44:01 CEST
Logoff time:          Pa, 14 09 30828 04:48:05 CEST
Kickoff time:         Pa, 14 09 30828 04:48:05 CEST
Password last set:    Ut, 04 04 2017 16:44:29 CEST
Password can change:  Ut, 04 04 2017 16:44:29 CEST
Password must change: 0
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Thanks
-------------------------------------
Petr Ševčík
-------------------------------------

Hi Petr,

Am 05.04.2017 um 09:30 schrieb PeSe via samba:
> I have problem with samba in AD domain mode. When I change parameter
> "Password must change" to 0 for some users windows doesn't
open dialog for
> password changing during first login. User login to windows with expired
> password and cannot open network shares.
I cannot confirm this using Windows 10 and Samba 4.6.0:
I set pwdLastSet to 0 and when the user tries to log in, he must change 
the password. If you press "Cancel", you are back at the login.
http://picpaste.de/pics/screenshot-v3Kcu3Ej.1491404762.png

You said "...for some users...". If this does not happen for all, the 
next step is to find out what differs in the user attributes. To display 
all attributes of a user, enter on a Samba DC:

# ldbsearch -H /usr/local/samba/private/sam.ldb
'sAMAccountName=user_name'

Compare a working and a non-working account.


> pdbedit list of problem user
This utility is not really compatible with AD. Especially not if you try 
to set something. :-)

Did you use pdbedit to set this flag? Then I'm sure this is the cause. 
Instead use:
# ldbedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=user_name'
or RSAT, or any LDAP client.


Regards,
Marc

Hello,

Can you please provide your setup details.

1. Is share located on windows.
2. Have you setted 'password change at next login for AD users'
3. Are you trying to access windows-samba-share from windows
client/linux client.

Thanks
Amit

On 04/05/2017 08:46 PM, Marc Muehlfeld via samba wrote:
> Hi Petr,
>
> Am 05.04.2017 um 09:30 schrieb PeSe via samba:
>> I have problem with samba in AD domain mode. When I change parameter
>> "Password must change" to 0 for some users windows
doesn't open
>> dialog for
>> password changing during first login. User login to windows with
expired
>> password and cannot open network shares.
>
> I cannot confirm this using Windows 10 and Samba 4.6.0:
> I set pwdLastSet to 0 and when the user tries to log in, he must
> change the password. If you press "Cancel", you are back at the
login.
> http://picpaste.de/pics/screenshot-v3Kcu3Ej.1491404762.png
>
> You said "...for some users...". If this does not happen for all,
the
> next step is to find out what differs in the user attributes. To
> display all attributes of a user, enter on a Samba DC:
>
> # ldbsearch -H /usr/local/samba/private/sam.ldb
> 'sAMAccountName=user_name'
>
> Compare a working and a non-working account.
>
>
>
>> pdbedit list of problem user
>
> This utility is not really compatible with AD. Especially not if you
> try to set something. :-)
>
> Did you use pdbedit to set this flag? Then I'm sure this is the cause.
> Instead use:
> # ldbedit -H /usr/local/samba/private/sam.ldb
'sAMAccountName=user_name'
> or RSAT, or any LDAP client.
>
>
> Regards,
> Marc
>
>
-- 
Thanks
Amit Kumar
There are three ways to get something done:
  (1) Do it yourself.
  (2) Hire someone to do it for you.
  (3) Forbid your kids to do it.