samba - Feb 2019 - Password change **apparently** failing in Windows 10 with 4.7.1

I have a server running 4.7.1 in PDC mode (NT4-style domain) and we've 
noticed that when changing passwords now in Window10 the change happens 
but Windows 10 comes back with a "username or password incorrect" 
message. Logging off and logging on again shows that the password change 
has, in fact, worked as the new password is required. Similarly logging 
straight into the server shows the password change has worked.

My smb.conf is:

[global]
ntlm auth = yes
unix password sync = Yes
netbios name = MyServer
workgroup = CLEARSYSTEM
server string = MyServer
security = user
log level = 1
log file = /var/log/samba/%L-%m
max log size = 0
utmp = Yes
interfaces = lo enp2s0f1
printcap name = /etc/printcap
load printers = Yes
guest account = guest
wins support = Yes
wins server domain logons = Yes
add machine script = /usr/sbin/samba-add-machine "%u"
logon drive = U:
logon script = logon.cmd
logon path logon home = \\%L\%U
idmap config * : backend = ldap
idmap config * : range = 20000000-29999999
winbind enum users = Yes
winbind enum groups = Yes
winbind expand groups = 1
winbind offline logon = Yes
winbind use default domain = true
winbind separator = +
template homedir = /home/%U
template shell = /sbin/nologin
preferred master = Yes
domain master = Yes
passwd program = /usr/sbin/userpasswd %u
passwd chat = *password:* %n\n *password:* %n\n *successfully.*
passwd chat timeout = 10
username map = /etc/samba/smbusers
wide links = No
allow trusted domains = Yes
include = /etc/samba/smb.ldap.conf
include = /etc/samba/smb.winbind.conf
include = /etc/samba/flexshare.conf

/etc/samba/smb.ldap.conf is:
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=manager,ou=Internal,dc=system,dc=lan
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap passwd sync = No
ldap suffix = dc=system,dc=lan
ldap user suffix = ou=Users,ou=Accounts
ldap connection timeout = 8
ldap ssl = Off

and /etc/samba/smb.winbind.conf is:
idmap config * : ldap_url = ldap://127.0.0.1
idmap config * : ldap_base_dn = ou=Idmap,dc=system,dc=lan
idmap config * : ldap_user_dn = cn=manager,ou=Internal,dc=system,dc=lan

/etc/samba/flexshare.conf contains a shate definition and I have left 
out the default shares.

I have tried with "ntlm auth = yes" and "ntlm auth = no".

Do you have any idea why this is happening? Or is it a question for Windows?

Thanks,

Nick

Mandi! Nick Howitt via samba
  In chel di` si favelave...

Could be that:
> unix password sync = Yes
Add a little delay, that ''confuse'' win10 box?

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Mon, 18 Feb 2019 14:08:46 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Nick Howitt via samba
>   In chel di` si favelave...
> 
> Could be that:
> 
> > unix password sync = Yes
> 
> Add a little delay, that ''confuse'' win10 box?
> 
I doubt it, it is probably another artefact of the 'Windows doesn't
care about NT4-style domain' syndrome.

Microsoft EOL'ed NT domains over 10 years ago, so they just don't
think about keeping them working whilst writing code.

I do not think this is a Samba problem, the password gets changed and
can be used to log into the server, so it works from the Samba
perspective, it falls over on the Win10 computer. This, to me, points
to a Windows problem.

I have said it before and I will probably have to say it again, if
you run an NT4-style domain, upgrade to an AD domain as soon as
possible.

The problem for the OP is (if I am correct), he will have to change his
OS as well ('CLEARSYSTEM' possibly means CLEAROS).

Rowland