samba - Jul 2015 - Can't force Windows users to change password at next login since upgrade to Samba4

I would be VERY grateful for anyone who can find time to offer a tip or 
hint!


     I upgraded an Ubuntu LTS server (running Samba 3.X) to the latest 
version (running Samba 4.1.6) a few months ago and a bothersome issue 
persists with forcing Windows users to change their password at the next 
login.
     This command used to do the trick

net sam set pwdmustchangenow <username> yes

     and indeed the user is prompted to change their password now, but 
they are always given an "Access is denied" message upon entering a
new
password selection twice. The error recorded by Samba at the client log 
appears to be related to PAM:

[2015/07/06 16:10:59.294295,  0] 
../source3/rpc_server/srv_pipe.c:471(pipe_schannel_auth_bind)
   pipe_schannel_auth_bind: Attempt to bind using schannel without 
successful serverauth2
[2015/07/06 16:11:01.067248,  0] 
../source3/rpc_server/srv_pipe.c:471(pipe_schannel_auth_bind)
   pipe_schannel_auth_bind: Attempt to bind using schannel without 
successful serverauth2

     We use the tdbsam backend and the server in question is a primary 
domain controller. We do have libpam-smbpass installed.



     I tried

pdbedit -P "maximum password age" -C 0 -u <username>

     with the same results.



/etc/samba/smb.conf

[global]
          passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
          obey pam restrictions = yes
          admin users = administrator @smbadmins root
          show add printer wizard = yes
          passwd program = /usr/bin/passwd %u
          dns proxy = no
          logon script = logon.bat
          time server = yes
          logon path           netbios name = PDC
          printing = cups
          default = Data
          local master = yes
          workgroup = WORKER
          os level = 64
          printcap name = cups
          security = user
          add machine script = /usr/sbin/useradd -s /bin/false -d 
/nonexistent '%u' -g smbmachines
          max log size = 1000
          delete user script = /usr/sbin/userdel -r '%u'
          log file = /var/log/samba/log.%m
          guest account = nobody
          add group script = /usr/sbin/groupadd '%g'
          socket options = TCP_NODELAY
          delete group script = /usr/sbin/groupdel '%g'
          add user to group script = /usr/sbin/usermod -G '%g'
'%u'
          domain master = yes
          encrypt passwords = true
          passdb backend = tdbsam
          wins support = true
          server string = WORK Domain Controller
          path = /shares/data
          unix password sync = yes
          comment =  Project and User Folders
          add user script = /usr/sbin/useradd -m '%u' -g smbusers -G 
smbusers
          syslog = 0
          panic action = /usr/share/samba/panic-action %d
          domain logons = yes
          pam password change = yes
          enable privileges = Yes
          rename user script = /usr/sbin/usermod -l '%unew'
'%uold'
          create mask = 0775
          directory mask = 0775


[netlogon]
      comment = Network Logon Service
      path = /export/logon
      read only = yes
      valid users = root @smbadmins @smbusers @WORKers



[Data]
          comment = Projects and User Files
          path = /shares/data
          writeable = Yes
          create mask = 775
          directory mask = 0770
          browseable = Yes
          inherit permissions = Yes




/etc/pam.d/samba

@include common-auth
@include common-account
@include common-session-noninteractive
@include common-password



-- 
Brett Charbeneau
brett at happysnowman.com