On Mon, 22 Apr 2024 08:56:41 -0400> Mark Foley via samba <samba at lists.samba.org> wrote: > > New related issue. > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days > ago, and set the 'Maximum password age' to 90 days. Today, two of the > users' passwords were expired when they tried to log in this morning. > They got the messaage that their password was expired and to change > it, but when doing so they keep getting "your password has expired." > > I've reset 3 people's passwords so far today. This worked without > problem on 4.8.2. Yes, they did get the Windows notice that their > password was expiring in x days, but they didn't act on that. > > Any idea how to fix this?It's been another 90 days and passwords are expiring. I'm back to investigating this issue. 1. Most people are not getting the "your password expires in X days" message on their Windows 11 workstations. I've looked in 'samba-tool user show <user>' and 'samba-tool domain passwordsettings show' and don't see where this setting is defined. 2. More importantly, when their password expires, they get the normal Windows "Your Password has expired" dialogue with "Password", "New password", "Confirm password". When users fill in this info and click the arrow beside "Confirm password", it simply repaints the form and never lets them in. The same happens to me so I know it's not just user error. In ADUC > Users, no boxes are checked under "Account options" and "Account expires" is set to 'never'. This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to Samba 4.18.9, and from Windows 10 to Windows 11 on the workstations. Users have never since been able to set their passwords once expired. I have to do so for each user with 'samba-tool user setpassword <user>'. This used to work fine on 4.8.2. We need to get this fixed. Suggestions? Thanks --Mark
On Mon, 22 Jul 2024 12:09:45 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> On Mon, 22 Apr 2024 08:56:41 -0400 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > New related issue. > > > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days > > ago, and set the 'Maximum password age' to 90 days. Today, two of > > the users' passwords were expired when they tried to log in this > > morning. They got the messaage that their password was expired and > > to change it, but when doing so they keep getting "your password > > has expired." > > > > I've reset 3 people's passwords so far today. This worked without > > problem on 4.8.2. Yes, they did get the Windows notice that their > > password was expiring in x days, but they didn't act on that. > > > > Any idea how to fix this? > > It's been another 90 days and passwords are expiring. I'm back to > investigating this issue. > > 1. Most people are not getting the "your password expires in X days" > message on their Windows 11 workstations. I've looked in 'samba-tool > user show <user>' and 'samba-tool domain passwordsettings show' and > don't see where this setting is defined. > > 2. More importantly, when their password expires, they get the normal > Windows "Your Password has expired" dialogue with "Password", "New > password", "Confirm password". When users fill in this info and click > the arrow beside "Confirm password", it simply repaints the form and > never lets them in. The same happens to me so I know it's not just > user error. > > In ADUC > Users, no boxes are checked under "Account options" and > "Account expires" is set to 'never'. > > This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to > Samba 4.18.9, and from Windows 10 to Windows 11 on the workstations. > Users have never since been able to set their passwords once expired. > I have to do so for each user with 'samba-tool user setpassword > <user>'. This used to work fine on 4.8.2. We need to get this fixed. > > Suggestions? > > Thanks --Mark > >I wonder if this has anything to do with the AD password settings, what does this show when run on a DC: sudo samba-tool domain passwordsettings show Rowland
Mandi! Mark Foley via samba In chel di` si favelave...> Suggestions?Password policy is not an 'account thing', but a 'policy thing': you have to define GPO with password expiration, and is a 'computer policy', so if you have different policy, you got different expiration. So, first: verify GPO get correctly propagated and are coherent on the client. --