Ken McDonald
2018-Jan-18 14:22 UTC
[Samba] Changing expired Samba AD password during Windows login
Hi, thanks for your help. Your suggestion makes sense, however I think there should be some way for users to be able to change an expired password from login dialogue. Actually I had a problem doing this previously with NT4 style Samba domain and never looked into a resolution. Now that I've found Samba does AD style domain, I'm excited to use it in several customer locations. Since I can't find any info in the Samba documentation about a known problem or FAQ about expired password during Windows OS login, I figured it's /supposed/ to work. Sent from my U.S. Cellular® Smartphone -------- Original message -------- From: Harsh Kukreja <h.kukreja at ium.edu.na> Date: 01/18/2018 8:43 AM (GMT-05:00) To: Ken McDonald <ken at generation.tech> Cc: Luke Barone <lukebarone at gmail.com>, samba <samba at lists.samba.org> Subject: Re: [Samba] Changing expired Samba AD password during Windows login Hi Ken I was experiencing a similar problem with the passwords few days back when the staff resumed to work after a months vacation. The clients are Windows 7 PC's which were failing to login with an error"The password for this account has expired" even after a password reset from RSAT. Solutions which worked for me:When you are resetting use password uncheck the option to change password on next login which means user can login with the new password and later they can change it from the ctrl+alt+del menu. To reset the user password without checking to change password on next login you can use the below command line: samba-tool user setpassword --filter=samaccountname=username --newpassword=password or you can also use command below to reset the user password if you remember the old password kpasswd username Also you can change password settings on Samba 4 using the command belowsamba-tool domain passwordsettings set --history-length=0 samba-tool domain passwordsettings set --min-pwd-age=0 samba-tool domain passwordsettings set --max-pwd-age=90 Thanks n Regards Harsh Kukreja Systems Administrator International University of Namibia Tel: 061-4336000 - E-mail: h.kukreja at ium.edu.na - Web: http://www.ium.edu.na Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA On Thu, Jan 18, 2018 at 5:48 AM, Ken McDonald via samba <samba at lists.samba.org> wrote: On win8.1 & srv2012r2 it is "The password for this account has expired" On 01/17/2018 10:44 PM, Luke Barone wrote: (Remember to reply all) What error message, *specifically*, comes up when the user with the expired password attempts to change it? On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote: To test, I use a desktop OS (win8.1) with rsat installed to create a new user with ADUC and set the "user must change password at next logon" OR for an existing user, with ADUC under "Account" tab. check "user must change password at next logon." Then, when the test user actually logs in to a Windows OS (I've tested win8.1 and srv2012r2), they get a message like "your password has expired and must be changed." When "ok" is clicked, they get a prompt to enter old password, and new password x2. Entering all of those correctly, including complexity requirements, does not work and that is my problem. They get an immediate repeat of the "the password for this account has expired" and the process starts all over. However, if for a non-expired user, they log in successfully and choose cntl-alt-del they can successfully change their password. On 01/17/2018 10:27 PM, Luke Barone wrote: Are you trying to reset with the rsat tools, or the command line? What issue is happening when you try to set it? On Jan 17, 2018 7:14 PM, "Ken McDonald via samba" <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: I'm running a Samba AD 4.7.4 and cannot set a new password for a user with an expired password during login from a Windows PC. Changing a password from inside a login with cntl-alt-del "change password" works ok. I've already decreased the minimum password age to 0 samba-tool domain passwordsettings show Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 0 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 0 Reset account lockout after (mins): 30 My Samba install is brand new and the Windows PC is a clean test PC. I'm running on Ubuntu 16.04.3 and had to compile from source Samba 4.7.4 after compiling from source krb5 1.15.2. All other build dependencies came from default Ubuntu 16.04.3 repos smb.conf # Global parameters [global] dns forwarder = xxx.xxx.xxx.xxx netbios name = DCNAME realm = DOMAINNAME.DOMAIN.COM <http://DOMAINNAME.DOMAIN.COM> server role = active directory domain controller workgroup = DOMAINNAME idmap_ldb:use rfc2307 = yes log level = 5 [netlogon] path /usr/local/samba/var/locks/sysvol/domainname.domain.com/scripts <http://domainname.domain.com/scripts> read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
lingpanda101
2018-Jan-18 15:13 UTC
[Samba] Changing expired Samba AD password during Windows login
On 1/18/2018 9:22 AM, Ken McDonald via samba wrote:> > Hi, thanks for your help. Your suggestion makes sense, however I think there should be some way for users to be able to change an expired password from login dialogue. > Actually I had a problem doing this previously with NT4 style Samba domain and never looked into a resolution. > Now that I've found Samba does AD style domain, I'm excited to use it in several customer locations. > Since I can't find any info in the Samba documentation about a known problem or FAQ about expired password during Windows OS login, I figured it's /supposed/ to work. > > > Sent from my U.S. Cellular® Smartphone > > -------- Original message -------- > From: Harsh Kukreja <h.kukreja at ium.edu.na> > Date: 01/18/2018 8:43 AM (GMT-05:00) > To: Ken McDonald <ken at generation.tech> > Cc: Luke Barone <lukebarone at gmail.com>, samba <samba at lists.samba.org> > Subject: Re: [Samba] Changing expired Samba AD password during Windows login > > Hi Ken > I was experiencing a similar problem with the passwords few days back when the staff resumed to work after a months vacation. The clients are Windows 7 PC's which were failing to login with an error"The password for this account has expired" even after a password reset from RSAT. > Solutions which worked for me:When you are resetting use password uncheck the option to change password on next login which means user can login with the new password and later they can change it from the ctrl+alt+del menu. > To reset the user password without checking to change password on next login you can use the below command line: samba-tool user setpassword --filter=samaccountname=username --newpassword=password > or you can also use command below to reset the user password if you remember the old password kpasswd username > Also you can change password settings on Samba 4 using the command belowsamba-tool domain passwordsettings set --history-length=0 > samba-tool domain passwordsettings set --min-pwd-age=0 > samba-tool domain passwordsettings set --max-pwd-age=90 > > Thanks n Regards > > > > Harsh Kukreja Systems Administrator International University of Namibia Tel: 061-4336000 - E-mail: h.kukreja at ium.edu.na - Web: http://www.ium.edu.na > Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA > > > > > > > > > > > > > > On Thu, Jan 18, 2018 at 5:48 AM, Ken McDonald via samba <samba at lists.samba.org> wrote: > On win8.1 & srv2012r2 it is "The password for this account has expired" > > > > > > On 01/17/2018 10:44 PM, Luke Barone wrote: > > > (Remember to reply all) > > > > What error message, *specifically*, comes up when the user with the expired password attempts to change it? > > > > On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote: > > > > To test, I use a desktop OS (win8.1) with rsat installed to create > > a new user with ADUC and set the "user must change password at > > next logon" OR for an existing user, with ADUC under "Account" > > tab. check "user must change password at next logon." > > > > Then, when the test user actually logs in to a Windows OS (I've > > tested win8.1 and srv2012r2), they get a message like "your > > password has expired and must be changed." When "ok" is clicked, > > they get a prompt to enter old password, and new password x2. > > Entering all of those correctly, including complexity > > requirements, does not work and that is my problem. They get an > > immediate repeat of the "the password for this account has > > expired" and the process starts all over. > > > > However, if for a non-expired user, they log in successfully and > > choose cntl-alt-del they can successfully change their password. > > > > > > On 01/17/2018 10:27 PM, Luke Barone wrote: > > > Are you trying to reset with the rsat tools, or the command line? > > What issue is happening when you try to set it? > > > > On Jan 17, 2018 7:14 PM, "Ken McDonald via samba" > > <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > > > > I'm running a Samba AD 4.7.4 and cannot set a new password > > for a user with an expired password during login from a > > Windows PC. Changing a password from inside a login with > > cntl-alt-del "change password" works ok. > > > > I've already decreased the minimum password age to 0 > > > > samba-tool domain passwordsettings show > > > > Password complexity: on > > Store plaintext passwords: off > > Password history length: 24 > > Minimum password length: 7 > > Minimum password age (days): 0 > > Maximum password age (days): 42 > > Account lockout duration (mins): 30 > > Account lockout threshold (attempts): 0 > > Reset account lockout after (mins): 30 > > > > My Samba install is brand new and the Windows PC is a clean > > test PC. I'm running on Ubuntu 16.04.3 and had to compile > > from source Samba 4.7.4 after compiling from source krb5 > > 1.15.2. All other build dependencies came from default Ubuntu > > 16.04.3 repos > > > > smb.conf > > > > # Global parameters > > [global] > > dns forwarder = xxx.xxx.xxx.xxx > > netbios name = DCNAME > > realm = DOMAINNAME.DOMAIN.COM > > <http://DOMAINNAME.DOMAIN.COM> > > server role = active directory domain controller > > workgroup = DOMAINNAME > > idmap_ldb:use rfc2307 = yes > > > > log level = 5 > > > > [netlogon] > > path > > /usr/local/samba/var/locks/sysvol/domainname.domain.com/scripts > > <http://domainname.domain.com/scripts> > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > > > -- To unsubscribe from this list go to the following URL and > > read the > > instructions: https://lists.samba.org/mailman/options/samba > > <https://lists.samba.org/mailman/options/samba> > > > > > > > > >I've had this issue sporadically as well from time to time. I've found that once the user changes his/her password, when the process restarts cancel the subsequent try. Choose switch user, other user and try logging in with the new password. Make sure you switch other user and retype the username. This has worked but is annoying. -- -- James
Ken McDonald
2018-Jan-20 14:38 UTC
[Samba] Changing expired Samba AD password during Windows login
Thanks for the suggestion but it didn't help in my situation. Odd. On 01/18/2018 10:13 AM, lingpanda101 wrote:> On 1/18/2018 9:22 AM, Ken McDonald via samba wrote: >> Hi, thanks for your help. Your suggestion makes sense, however I >> think there should be some way for users to be able to change an >> expired password from login dialogue. >> Actually I had a problem doing this previously with NT4 style Samba >> domain and never looked into a resolution. >> Now that I've found Samba does AD style domain, I'm excited to use it >> in several customer locations. >> Since I can't find any info in the Samba documentation about a known >> problem or FAQ about expired password during Windows OS login, I >> figured it's /supposed/ to work. >> >> >> Sent from my U.S. Cellular® Smartphone >> >> -------- Original message -------- >> From: Harsh Kukreja <h.kukreja at ium.edu.na> >> Date: 01/18/2018 8:43 AM (GMT-05:00) >> To: Ken McDonald <ken at generation.tech> >> Cc: Luke Barone <lukebarone at gmail.com>, samba <samba at lists.samba.org> >> Subject: Re: [Samba] Changing expired Samba AD password during >> Windows login >> >> Hi Ken >> I was experiencing a similar problem with the passwords few days back >> when the staff resumed to work after a months vacation. The clients >> are Windows 7 PC's which were failing to login with an error"The >> password for this account has expired" even after a password reset >> from RSAT. >> Solutions which worked for me:When you are resetting use password >> uncheck the option to change password on next login which means user >> can login with the new password and later they can change it from the >> ctrl+alt+del menu. >> To reset the user password without checking to change password on >> next login you can use the below command line: samba-tool user >> setpassword --filter=samaccountname=username --newpassword=password >> or you can also use command below to reset the user password if you >> remember the old password kpasswd username >> Also you can change password settings on Samba 4 using the command >> belowsamba-tool domain passwordsettings set --history-length=0 >> samba-tool domain passwordsettings set --min-pwd-age=0 >> samba-tool domain passwordsettings set --max-pwd-age=90 >> >> Thanks n Regards >> >> >> >> Harsh Kukreja Systems Administrator International University of >> Namibia Tel: 061-4336000 - >> E-mail: h.kukreja at ium.edu.na - Web: http://www.ium.edu.na >> Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park, >> Windhoek, NAMIBIA >> >> >> >> >> >> >> On Thu, Jan 18, 2018 at 5:48 AM, Ken McDonald via samba >> <samba at lists.samba.org> wrote: >> On win8.1 & srv2012r2 it is "The password for this account has expired" >> >> >> >> >> >> On 01/17/2018 10:44 PM, Luke Barone wrote: >> >> >> (Remember to reply all) >> >> >> >> What error message, *specifically*, comes up when the user with the >> expired password attempts to change it? >> >> >> >> On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote: >> >> >> >> To test, I use a desktop OS (win8.1) with rsat installed to create >> >> a new user with ADUC and set the "user must change password at >> >> next logon" OR for an existing user, with ADUC under "Account" >> >> tab. check "user must change password at next logon." >> >> >> >> Then, when the test user actually logs in to a Windows OS (I've >> >> tested win8.1 and srv2012r2), they get a message like "your >> >> password has expired and must be changed." When "ok" is clicked, >> >> they get a prompt to enter old password, and new password x2. >> >> Entering all of those correctly, including complexity >> >> requirements, does not work and that is my problem. They get an >> >> immediate repeat of the "the password for this account has >> >> expired" and the process starts all over. >> >> >> >> However, if for a non-expired user, they log in successfully and >> >> choose cntl-alt-del they can successfully change their password. >> >> >> >> >> >> On 01/17/2018 10:27 PM, Luke Barone wrote: >> >> >> Are you trying to reset with the rsat tools, or the command line? >> >> What issue is happening when you try to set it? >> >> >> >> On Jan 17, 2018 7:14 PM, "Ken McDonald via samba" >> >> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> >> >> >> I'm running a Samba AD 4.7.4 and cannot set a new password >> >> for a user with an expired password during login from a >> >> Windows PC. Changing a password from inside a login with >> >> cntl-alt-del "change password" works ok. >> >> >> >> I've already decreased the minimum password age to 0 >> >> >> >> samba-tool domain passwordsettings show >> >> >> >> Password complexity: on >> >> Store plaintext passwords: off >> >> Password history length: 24 >> >> Minimum password length: 7 >> >> Minimum password age (days): 0 >> >> Maximum password age (days): 42 >> >> Account lockout duration (mins): 30 >> >> Account lockout threshold (attempts): 0 >> >> Reset account lockout after (mins): 30 >> >> >> >> My Samba install is brand new and the Windows PC is a clean >> >> test PC. I'm running on Ubuntu 16.04.3 and had to compile >> >> from source Samba 4.7.4 after compiling from source krb5 >> >> 1.15.2. All other build dependencies came from default Ubuntu >> >> 16.04.3 repos >> >> >> >> smb.conf >> >> >> >> # Global parameters >> >> [global] >> >> dns forwarder = xxx.xxx.xxx.xxx >> >> netbios name = DCNAME >> >> realm = DOMAINNAME.DOMAIN.COM >> >> <http://DOMAINNAME.DOMAIN.COM> >> >> server role = active directory domain controller >> >> workgroup = DOMAINNAME >> >> idmap_ldb:use rfc2307 = yes >> >> >> >> log level = 5 >> >> >> >> [netlogon] >> >> path >> >> /usr/local/samba/var/locks/sysvol/domainname.domain.com/scripts >> >> <http://domainname.domain.com/scripts> >> >> read only = No >> >> >> >> [sysvol] >> >> path = /usr/local/samba/var/locks/sysvol >> >> read only = No >> >> >> >> >> >> -- To unsubscribe from this list go to the following >> URL and >> >> read the >> >> instructions: https://lists.samba.org/mailman/options/samba >> >> <https://lists.samba.org/mailman/options/samba> >> >> >> >> >> >> >> >> >> > I've had this issue sporadically as well from time to time. I've > found that once the user changes his/her password, when the process > restarts cancel the subsequent try. Choose switch user, other user and > try logging in with the new password. Make sure you switch other user > and retype the username. This has worked but is annoying. >