Ken McDonald
2018-Jan-18 03:01 UTC
[Samba] Changing expired Samba AD password during Windows login
I'm running a Samba AD 4.7.4 and cannot set a new password for a user with an expired password during login from a Windows PC. Changing a password from inside a login with cntl-alt-del "change password" works ok. I've already decreased the minimum password age to 0 samba-tool domain passwordsettings show Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 0 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 0 Reset account lockout after (mins): 30 My Samba install is brand new and the Windows PC is a clean test PC. I'm running on Ubuntu 16.04.3 and had to compile from source Samba 4.7.4 after compiling from source krb5 1.15.2. All other build dependencies came from default Ubuntu 16.04.3 repos smb.conf # Global parameters [global] dns forwarder = xxx.xxx.xxx.xxx netbios name = DCNAME realm = DOMAINNAME.DOMAIN.COM server role = active directory domain controller workgroup = DOMAINNAME idmap_ldb:use rfc2307 = yes log level = 5 [netlogon] path = /usr/local/samba/var/locks/sysvol/domainname.domain.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
Luke Barone
2018-Jan-18 03:27 UTC
[Samba] Changing expired Samba AD password during Windows login
Are you trying to reset with the rsat tools, or the command line? What issue is happening when you try to set it? On Jan 17, 2018 7:14 PM, "Ken McDonald via samba" <samba at lists.samba.org> wrote:> I'm running a Samba AD 4.7.4 and cannot set a new password for a user with > an expired password during login from a Windows PC. Changing a password > from inside a login with cntl-alt-del "change password" works ok. > > I've already decreased the minimum password age to 0 > > samba-tool domain passwordsettings show > > Password complexity: on > Store plaintext passwords: off > Password history length: 24 > Minimum password length: 7 > Minimum password age (days): 0 > Maximum password age (days): 42 > Account lockout duration (mins): 30 > Account lockout threshold (attempts): 0 > Reset account lockout after (mins): 30 > > My Samba install is brand new and the Windows PC is a clean test PC. I'm > running on Ubuntu 16.04.3 and had to compile from source Samba 4.7.4 after > compiling from source krb5 1.15.2. All other build dependencies came from > default Ubuntu 16.04.3 repos > > smb.conf > > # Global parameters > [global] > dns forwarder = xxx.xxx.xxx.xxx > netbios name = DCNAME > realm = DOMAINNAME.DOMAIN.COM > server role = active directory domain controller > workgroup = DOMAINNAME > idmap_ldb:use rfc2307 = yes > > log level = 5 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/ > domainname.domain.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Luke Barone
2018-Jan-18 03:44 UTC
[Samba] Changing expired Samba AD password during Windows login
(Remember to reply all) What error message, *specifically*, comes up when the user with the expired password attempts to change it? On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote:> To test, I use a desktop OS (win8.1) with rsat installed to create a new > user with ADUC and set the "user must change password at next logon" OR for > an existing user, with ADUC under "Account" tab. check "user must change > password at next logon." > > Then, when the test user actually logs in to a Windows OS (I've tested > win8.1 and srv2012r2), they get a message like "your password has expired > and must be changed." When "ok" is clicked, they get a prompt to enter old > password, and new password x2. Entering all of those correctly, including > complexity requirements, does not work and that is my problem. They get an > immediate repeat of the "the password for this account has expired" and the > process starts all over. > > However, if for a non-expired user, they log in successfully and choose > cntl-alt-del they can successfully change their password. > > On 01/17/2018 10:27 PM, Luke Barone wrote: > > Are you trying to reset with the rsat tools, or the command line? What > issue is happening when you try to set it? > > On Jan 17, 2018 7:14 PM, "Ken McDonald via samba" <samba at lists.samba.org> > wrote: > >> I'm running a Samba AD 4.7.4 and cannot set a new password for a user >> with an expired password during login from a Windows PC. Changing a >> password from inside a login with cntl-alt-del "change password" works ok. >> >> I've already decreased the minimum password age to 0 >> >> samba-tool domain passwordsettings show >> >> Password complexity: on >> Store plaintext passwords: off >> Password history length: 24 >> Minimum password length: 7 >> Minimum password age (days): 0 >> Maximum password age (days): 42 >> Account lockout duration (mins): 30 >> Account lockout threshold (attempts): 0 >> Reset account lockout after (mins): 30 >> >> My Samba install is brand new and the Windows PC is a clean test PC. I'm >> running on Ubuntu 16.04.3 and had to compile from source Samba 4.7.4 after >> compiling from source krb5 1.15.2. All other build dependencies came from >> default Ubuntu 16.04.3 repos >> >> smb.conf >> >> # Global parameters >> [global] >> dns forwarder = xxx.xxx.xxx.xxx >> netbios name = DCNAME >> realm = DOMAINNAME.DOMAIN.COM >> server role = active directory domain controller >> workgroup = DOMAINNAME >> idmap_ldb:use rfc2307 = yes >> >> log level = 5 >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/ >> domainname.domain.com/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Ken McDonald
2018-Jan-18 03:48 UTC
[Samba] Changing expired Samba AD password during Windows login
On win8.1 & srv2012r2 it is "The password for this account has expired" On 01/17/2018 10:44 PM, Luke Barone wrote:> (Remember to reply all) > > What error message, *specifically*, comes up when the user with the > expired password attempts to change it? > > On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken at generation.tech> wrote: > > To test, I use a desktop OS (win8.1) with rsat installed to create > a new user with ADUC and set the "user must change password at > next logon" OR for an existing user, with ADUC under "Account" > tab. check "user must change password at next logon." > > Then, when the test user actually logs in to a Windows OS (I've > tested win8.1 and srv2012r2), they get a message like "your > password has expired and must be changed." When "ok" is clicked, > they get a prompt to enter old password, and new password x2. > Entering all of those correctly, including complexity > requirements, does not work and that is my problem. They get an > immediate repeat of the "the password for this account has > expired" and the process starts all over. > > However, if for a non-expired user, they log in successfully and > choose cntl-alt-del they can successfully change their password. > > > On 01/17/2018 10:27 PM, Luke Barone wrote: >> Are you trying to reset with the rsat tools, or the command line? >> What issue is happening when you try to set it? >> >> On Jan 17, 2018 7:14 PM, "Ken McDonald via samba" >> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: >> >> I'm running a Samba AD 4.7.4 and cannot set a new password >> for a user with an expired password during login from a >> Windows PC. Changing a password from inside a login with >> cntl-alt-del "change password" works ok. >> >> I've already decreased the minimum password age to 0 >> >> samba-tool domain passwordsettings show >> >> Password complexity: on >> Store plaintext passwords: off >> Password history length: 24 >> Minimum password length: 7 >> Minimum password age (days): 0 >> Maximum password age (days): 42 >> Account lockout duration (mins): 30 >> Account lockout threshold (attempts): 0 >> Reset account lockout after (mins): 30 >> >> My Samba install is brand new and the Windows PC is a clean >> test PC. I'm running on Ubuntu 16.04.3 and had to compile >> from source Samba 4.7.4 after compiling from source krb5 >> 1.15.2. All other build dependencies came from default Ubuntu >> 16.04.3 repos >> >> smb.conf >> >> # Global parameters >> [global] >> dns forwarder = xxx.xxx.xxx.xxx >> netbios name = DCNAME >> realm = DOMAINNAME.DOMAIN.COM >> <http://DOMAINNAME.DOMAIN.COM> >> server role = active directory domain controller >> workgroup = DOMAINNAME >> idmap_ldb:use rfc2307 = yes >> >> log level = 5 >> >> [netlogon] >> path >> /usr/local/samba/var/locks/sysvol/domainname.domain.com/scripts >> <http://domainname.domain.com/scripts> >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> >> -- >> To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> <https://lists.samba.org/mailman/options/samba> >> >
Marco Gaiarin
2018-Jan-19 09:31 UTC
[Samba] Changing expired Samba AD password during Windows login
Mandi! Ken McDonald via samba In chel di` si favelave...> I'm running a Samba AD 4.7.4 and cannot set a new password for a user with > an expired password during login from a Windows PC. Changing a password from > inside a login with cntl-alt-del "change password" works ok.[...]> samba-tool domain passwordsettings showHave you set the GPOs? 'samba-tool domain passwordsettings' works, as a ''global policy'', for samba domain controller only. For clients (and windows domain members, in general) you have to set the same policy in GPO. Last announcment of 4.8 beta seems this have been 'fixed', eg also samba domain controllers now obey to GPOs policy. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Ken McDonald
2018-Jan-20 14:39 UTC
[Samba] Changing expired Samba AD password during Windows login
Thanks for the help, however I don't think your suggestion applies in my case. On a fresh install of Samba 4.7.4 AD you cannot change a user password on a logged in PC through cntl-alt-del -> ChangePassword because the default MinAge is 1 days. I had to use the "samba-tool domain passwordsettings set --min-pwd-age=0" command to make the logged-on style of password change work. All that remains is getting the PasswordChange "during login" to work. Maybe I don't understand your suggestion. What GPO should I adjust so that a domain user can change their own expired password when they log into a domain-connected Windows desktop OS? On 01/19/2018 04:31 AM, Marco Gaiarin via samba wrote:> Mandi! Ken McDonald via samba > In chel di` si favelave... > >> I'm running a Samba AD 4.7.4 and cannot set a new password for a user with >> an expired password during login from a Windows PC. Changing a password from >> inside a login with cntl-alt-del "change password" works ok. > [...] >> samba-tool domain passwordsettings show > Have you set the GPOs? > > 'samba-tool domain passwordsettings' works, as a ''global policy'', for > samba domain controller only. > For clients (and windows domain members, in general) you have to set > the same policy in GPO. > > > Last announcment of 4.8 beta seems this have been 'fixed', eg also > samba domain controllers now obey to GPOs policy. >