samba - Jun 2017 - Cannot change passwords on Active Directory Samba from clients

Hi list,

We are working on getting Samba version 4.5.8-debian (on Stretch) with
Active Directory running, and we are running into a major road block.
Clients (Windows 7 Pro, Windows 10 Pro and Educational) cannot change their
passwords on their own. We can force the user to reset the password for
their next login (works), or reset the password with ADUC RSAT as the
Domain Admin. If the user tries to use "Change Password" from the Ctrl
Alt
Delete menu, it fails with the message:

Unable to update the password. The value provided for the new password does
not meet the length complexity, or history requirements of the domain

We are out of ideas, and Google is not helping much. Below is the smb.conf
file from the main domain controller (we troubleshooted by even shutting
down the secondary DC):

# Global parameters
[global]
 bind interfaces only = Yes
 interfaces = lo enp0s17
 netbios name = DC1
 realm = <FQDN>
 workgroup = <DOMAIN>
 dns forwarder = <DNS SERVER>
 server role = active directory domain controller
 winbind separator = /
 idmap_ldb:use rfc2307 = yes
 comment [netlogon]
 path = /var/lib/samba/sysvol/<DOMAIN>/scripts
 read only = No
[sysvol]
 path = /var/lib/samba/sysvol
 read only = No

We have disabled all the password policies in Group Policy Management
Console, as well as using samba-tool domain passwordsettings to disable any
restrictions, such as minimum password age, and password complexity.

What are our next steps?

Anything in the logs?

On Fri, Jun 2, 2017 at 8:01 PM, Luke Barone via samba <samba at
lists.samba.org
> wrote:
> Hi list,
>
> We are working on getting Samba version 4.5.8-debian (on Stretch) with
> Active Directory running, and we are running into a major road block.
> Clients (Windows 7 Pro, Windows 10 Pro and Educational) cannot change their
> passwords on their own. We can force the user to reset the password for
> their next login (works), or reset the password with ADUC RSAT as the
> Domain Admin. If the user tries to use "Change Password" from the
Ctrl Alt
> Delete menu, it fails with the message:
>
> Unable to update the password. The value provided for the new password does
> not meet the length complexity, or history requirements of the domain
>
> We are out of ideas, and Google is not helping much. Below is the smb.conf
> file from the main domain controller (we troubleshooted by even shutting
> down the secondary DC):
>
> # Global parameters
> [global]
>  bind interfaces only = Yes
>  interfaces = lo enp0s17
>  netbios name = DC1
>  realm = <FQDN>
>  workgroup = <DOMAIN>
>  dns forwarder = <DNS SERVER>
>  server role = active directory domain controller
>  winbind separator = /
>  idmap_ldb:use rfc2307 = yes
>  comment > [netlogon]
>  path = /var/lib/samba/sysvol/<DOMAIN>/scripts
>  read only = No
> [sysvol]
>  path = /var/lib/samba/sysvol
>  read only = No
>
> We have disabled all the password policies in Group Policy Management
> Console, as well as using samba-tool domain passwordsettings to disable any
> restrictions, such as minimum password age, and password complexity.
>
> What are our next steps?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira

I'll need to check on Monday and get back to you

On Jun 2, 2017 5:47 PM, "Elias Pereira via samba" <samba at
lists.samba.org>
wrote:
> Anything in the logs?
>
> On Fri, Jun 2, 2017 at 8:01 PM, Luke Barone via samba <
> samba at lists.samba.org
> > wrote:
>
> > Hi list,
> >
> > We are working on getting Samba version 4.5.8-debian (on Stretch) with
> > Active Directory running, and we are running into a major road block.
> > Clients (Windows 7 Pro, Windows 10 Pro and Educational) cannot change
> their
> > passwords on their own. We can force the user to reset the password
for
> > their next login (works), or reset the password with ADUC RSAT as the
> > Domain Admin. If the user tries to use "Change Password"
from the Ctrl
> Alt
> > Delete menu, it fails with the message:
> >
> > Unable to update the password. The value provided for the new password
> does
> > not meet the length complexity, or history requirements of the domain
> >
> > We are out of ideas, and Google is not helping much. Below is the
> smb.conf
> > file from the main domain controller (we troubleshooted by even
shutting
> > down the secondary DC):
> >
> > # Global parameters
> > [global]
> >  bind interfaces only = Yes
> >  interfaces = lo enp0s17
> >  netbios name = DC1
> >  realm = <FQDN>
> >  workgroup = <DOMAIN>
> >  dns forwarder = <DNS SERVER>
> >  server role = active directory domain controller
> >  winbind separator = /
> >  idmap_ldb:use rfc2307 = yes
> >  comment > > [netlogon]
> >  path = /var/lib/samba/sysvol/<DOMAIN>/scripts
> >  read only = No
> > [sysvol]
> >  path = /var/lib/samba/sysvol
> >  read only = No
> >
> > We have disabled all the password policies in Group Policy Management
> > Console, as well as using samba-tool domain passwordsettings to
disable
> any
> > restrictions, such as minimum password age, and password complexity.
> >
> > What are our next steps?
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
>
> --
> Elias Pereira
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 2017-06-02 at 16:01 -0700, Luke Barone via samba
wrote:
> Hi list,
> 
> We are working on getting Samba version 4.5.8-debian (on Stretch) with
> Active Directory running, and we are running into a major road block.
> Clients (Windows 7 Pro, Windows 10 Pro and Educational) cannot change their
> passwords on their own. We can force the user to reset the password for
> their next login (works), or reset the password with ADUC RSAT as the
> Domain Admin. If the user tries to use "Change Password" from the
Ctrl Alt
> Delete menu, it fails with the message:
> 
> Unable to update the password. The value provided for the new password does
> not meet the length complexity, or history requirements of the domain
> 
> We are out of ideas, and Google is not helping much. Below is the smb.conf
> file from the main domain controller (we troubleshooted by even shutting
> down the secondary DC):
> 
> # Global parameters
> [global]
>  bind interfaces only = Yes
>  interfaces = lo enp0s17
>  netbios name = DC1
>  realm = <FQDN>
>  workgroup = <DOMAIN>
>  dns forwarder = <DNS SERVER>
>  server role = active directory domain controller
>  winbind separator = /
>  idmap_ldb:use rfc2307 = yes
>  comment > [netlogon]
>  path = /var/lib/samba/sysvol/<DOMAIN>/scripts
>  read only = No
> [sysvol]
>  path = /var/lib/samba/sysvol
>  read only = No
> 
> We have disabled all the password policies in Group Policy Management
> Console, as well as using samba-tool domain passwordsettings to disable any
> restrictions, such as minimum password age, and password complexity.
To be clear, only the samba-tool step makes any difference, we don't
honour the Group Policy settings on the DC.

Have you tried changing it to a absurdly complex password after
reducing the minimum age with samba-tool?

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi Luke,

Am 03.06.2017 um 01:01 schrieb Luke Barone via samba:
> We have disabled all the password policies in Group Policy Management
> Console, as well as using samba-tool domain passwordsettings to disable any
> restrictions, such as minimum password age, and password complexity.
This is a local setting on each DC. Have you set it on all of your Samba 
DCs?

For Windows DCs this setting is managed using GPOs and each DC applies 
this setting. However, Samba is currently not able to process GPOs. For 
this reason this feature was implemented in samba-tool, but needs to be 
set on each DC.

Does setting a password works if it matches the rules:
https://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
For example, you should be able to set "Passw0rd" for a user if 
complexity is enabled.


Regards,
Marc

On Sat, 2017-06-03 at 09:10 +0200, Marc Muehlfeld via samba
wrote:
> Hi Luke,
> 
> Am 03.06.2017 um 01:01 schrieb Luke Barone via samba:
> > We have disabled all the password policies in Group Policy Management
> > Console, as well as using samba-tool domain passwordsettings to
disable any
> > restrictions, such as minimum password age, and password complexity.
> 
> This is a local setting on each DC. Have you set it on all of your Samba 
> DCs?
To be clear, this one isn't.  Password policies are stored in the
directory.
> For Windows DCs this setting is managed using GPOs and each DC applies 
> this setting. However, Samba is currently not able to process GPOs. For 
> this reason this feature was implemented in samba-tool, but needs to be 
> set on each DC.
BTW, patches to help fix this have been published, and I'm working with
their author on a review for a new set.  In short, watch this space, we
may be able to address this issue for 4.7 or 4.8!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba