samba - Jan 2018 - Changing expired Samba AD password during Windows login

Thanks for the help, however I don't think your suggestion applies in my 
case. On a fresh install of Samba 4.7.4 AD you cannot change a user 
password on a logged in PC through cntl-alt-del -> ChangePassword 
because the default MinAge is 1 days. I had to use the "samba-tool 
domain passwordsettings set --min-pwd-age=0" command to make the 
logged-on style of password change work.

All that remains is getting the PasswordChange "during login" to work.

Maybe I don't understand your suggestion. What GPO should I adjust so 
that a domain user can change their own expired password when they log 
into a domain-connected Windows desktop OS?






On 01/19/2018 04:31 AM, Marco Gaiarin via samba wrote:
> Mandi! Ken McDonald via samba
>    In chel di` si favelave...
>
>> I'm running a Samba AD 4.7.4 and cannot set a new password for a
user with
>> an expired password during login from a Windows PC. Changing a password
from
>> inside a login with cntl-alt-del "change password" works ok.
> [...]
>> samba-tool domain passwordsettings show
> Have you set the GPOs?
>
> 'samba-tool domain passwordsettings' works, as a ''global
policy'', for
> samba domain controller only.
> For clients (and windows domain members, in general) you have to set
> the same policy in GPO.
>
>
> Last announcment of 4.8 beta seems this have been 'fixed', eg also
> samba domain controllers now obey to GPOs policy.
>

Mandi! Ken McDonald via samba
  In chel di` si favelave...
> Thanks for the help, however I don't think your suggestion applies in
my
> case. On a fresh install of Samba 4.7.4 AD you cannot change a user
password
> on a logged in PC through cntl-alt-del -> ChangePassword because the
default
> MinAge is 1 days. I had to use the "samba-tool domain passwordsettings
set
> --min-pwd-age=0" command to make the logged-on style of password
change
> work.
Policies have that default, AFAIK.

> Maybe I don't understand your suggestion. What GPO should I adjust so
that a
> domain user can change their own expired password when they log into a
> domain-connected Windows desktop OS?
Something like this:

	http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Ok, so I tried all the suggestions without success.

Unless I hear back from someone saying it is NOT possible for a user to 
change an expired password during login from a Domain account on a Samba 
4.7.4 AD domain (only 1 DC, and I also tried latest dev release), then I 
will proceed with more in-depth troubleshooting, log file debugging, and 
mock-up VM's in order to determine what is happening.

Effectively for me, Samba AD is unusable unless users can change an 
expired password during login like they can when running on a pure 
Windows Server AD domain.

Thanks for everyone (anyone?) and their assistance!