Rowland Penny
2021-Oct-31 09:10 UTC
[Samba] `samba-tool user create --must-change-at-next-login my_user` doesn't appear to work on W10
On Sat, 2021-10-30 at 17:32 -0500, Patrick Goetz via samba wrote:> I created a user my_user as so: > > samba-tool user create --must-change-at-next-login my_user > > But in logging in on a domain-joined Windows 10 machine as my_user, > it > never asked me to change my password. I tried logging out and > logging > back in multiple times. > > Am I missing some trick?The usage is samba-tool user create <username> [<password>] [options] You appear to have used: samba-tool user create [options] <username> Not sure if this has any bearing though. Ultimately adding --must- change-at-next-login sets the users pwdLastSet attribute to 0, so you could check if this is happening. Rowland
Patrick Goetz
2021-Oct-31 13:23 UTC
[Samba] `samba-tool user create --must-change-at-next-login my_user` doesn't appear to work on W10
Thanks, Roland. I always appreciate your help. I tried it both ways (with option before and after the new user name). Same outcome. But I figured out what was going wrong. The command line order of the option doesn't matter. I've was creating users like this: # samba-tool user create dilbert --must-change-at-next-login # samba-tool user setexpiry dilbert --noexpiry Setting the password expiration to no expiration seems to interfere with the reset password requirement. If I just create a user like this: # samba-tool user create dolbert --must-change-at-next-login or # samba-tool user create --must-change-at-next-login dulbert Then W10 demands a password change before allowing the user to log in. On the one hand I can see why this might work this way, but it's not logically correct. Requiring a change of password on first login is entirely independent of whether passwords should expire or not. On 10/31/21 04:10, Rowland Penny via samba wrote:> On Sat, 2021-10-30 at 17:32 -0500, Patrick Goetz via samba wrote: >> I created a user my_user as so: >> >> samba-tool user create --must-change-at-next-login my_user >> >> But in logging in on a domain-joined Windows 10 machine as my_user, >> it >> never asked me to change my password. I tried logging out and >> logging >> back in multiple times. >> >> Am I missing some trick? > > The usage is samba-tool user create <username> [<password>] [options] > You appear to have used: samba-tool user create [options] <username> > Not sure if this has any bearing though. Ultimately adding --must- > change-at-next-login sets the users pwdLastSet attribute to 0, so you > could check if this is happening. > > Rowland > > >