New related issue.
I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days ago, and set
the 'Maximum password age' to 90 days. Today, two of the users'
passwords were
expired when they tried to log in this morning. They got the messaage that their
password was expired and to change it, but when doing so they keep getting
"your
password has expired."
I've reset 3 people's passwords so far today. This worked without
problem on
4.8.2. Yes, they did get the Windows notice that their password was expiring in
x days, but they didn't act on that.
Any idea how to fix this?
(Note the problem with "User must change password at next login"
described below
when I first upgraded the DC).
Thanks --Mark
-----Original Message-----
Date: Mon, 29 Jan 2024 15:31:12 -0500
Organization: Novatec Software Engineering, LLC
To: samba at lists.samba.org
Subject: Re: [Samba] Users/admin unable to reset passwords
From: Mark Foley via samba <samba at lists.samba.org>
On Sun Jan 28 19:28:58 2024 Andrew Bartlett <abartlet at samba.org>
wrote:>
> On Wed, 2024-01-24 at 16:02 -0500, Mark Foley via samba wrote:
> >
> > It looks like I'm having a serious problem with passwords and
domain
> > credentials.
> > After joining the office Windows workstations as domain members to
> > the new AD, I used ADUC to set everyone's password to some value
so I
> > could verify their apps got updated when logging in. After doing
> > that, I again used ADUC to check the box requiring everyone to change
> > their passsword when logging in.
> >
> > The next day when users arrived, they got the message to change their
> > password, but the system would not accept the new password. I had to
> > go back into ADUC and un-set that checkbox. Then users could log in
> > with the password I had set and change it with Ctrl-Alt-DEL.
> >
> > As an additional experiment, I used samba-tool to set one of the
> > users to have his password expire in two days. Which it did
> > today. He got no message leading up to this telling him his password
> > was about to expire, as used to happen, butit did expire today and
> > prevented him from logging in at all, and did not prompt him to set a
> > new password.
> >
> > I went to ADUC and set his profile to never expire the password, then
> > set the password itself to some values. He still could not log in.
> > I then used samba-tool to set his password. He could not and still
> > cannot login.
> >
> > What's up here? This user is now completely unable to log into his
> > workstationat all, not can it be logged into remotely. The RDC
> > dialog says "credentials failed". As admin I don't seem
to have the
> > ability to let him in. I am concerned as to what will happen when the
> > other users' password time limiteexpires.
> >
> > The Windows workstations are the exact same ones that were connected
> > to the previous Samba 4.8.2 domain. All that has changed is they have
> > been unjoined then rejoined to the new 4.8.19 domain.
>
> Is this a Samba 4.19 domain? Can you clarify the version?
> What is in the server logs?
>
> This is meant to work, and we do have tests for this area, but perhaps
> something hasn't been covered.
> Andrew Bartlett
This is Samba 4.18.9. I have confirmed that in ADUC if I set the user >
properties > Account to "User must change password at next login",
the user is
indeed prompted for a new password at next login, but regardless of what he
enters, he continues to be prompted to change his password.
If I un-check "User must change password at next login" he can get in
with his
old/current password.
It looks like the act of entering the new password neither sets the new password
nor un-checks the "reset next login" box.
What server logs do you mean? Those on the DC or on the Windows domain member?
I've looked in the DC logs and see nothing, but maybe I don't know what
to look
for.
--Mark