Ken McDonald
2018-Jan-20 14:39 UTC
[Samba] Changing expired Samba AD password during Windows login
Thanks for the help, however I don't think your suggestion applies in my case. On a fresh install of Samba 4.7.4 AD you cannot change a user password on a logged in PC through cntl-alt-del -> ChangePassword because the default MinAge is 1 days. I had to use the "samba-tool domain passwordsettings set --min-pwd-age=0" command to make the logged-on style of password change work. All that remains is getting the PasswordChange "during login" to work. Maybe I don't understand your suggestion. What GPO should I adjust so that a domain user can change their own expired password when they log into a domain-connected Windows desktop OS? On 01/19/2018 04:31 AM, Marco Gaiarin via samba wrote:> Mandi! Ken McDonald via samba > In chel di` si favelave... > >> I'm running a Samba AD 4.7.4 and cannot set a new password for a user with >> an expired password during login from a Windows PC. Changing a password from >> inside a login with cntl-alt-del "change password" works ok. > [...] >> samba-tool domain passwordsettings show > Have you set the GPOs? > > 'samba-tool domain passwordsettings' works, as a ''global policy'', for > samba domain controller only. > For clients (and windows domain members, in general) you have to set > the same policy in GPO. > > > Last announcment of 4.8 beta seems this have been 'fixed', eg also > samba domain controllers now obey to GPOs policy. >
Marco Gaiarin
2018-Jan-22 09:17 UTC
[Samba] Changing expired Samba AD password during Windows login
Mandi! Ken McDonald via samba In chel di` si favelave...> Thanks for the help, however I don't think your suggestion applies in my > case. On a fresh install of Samba 4.7.4 AD you cannot change a user password > on a logged in PC through cntl-alt-del -> ChangePassword because the default > MinAge is 1 days. I had to use the "samba-tool domain passwordsettings set > --min-pwd-age=0" command to make the logged-on style of password change > work.Policies have that default, AFAIK.> Maybe I don't understand your suggestion. What GPO should I adjust so that a > domain user can change their own expired password when they log into a > domain-connected Windows desktop OS?Something like this: http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/ -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Ken McDonald
2018-Jan-29 12:49 UTC
[Samba] Changing expired Samba AD password during Windows login
Ok, so I tried all the suggestions without success. Unless I hear back from someone saying it is NOT possible for a user to change an expired password during login from a Domain account on a Samba 4.7.4 AD domain (only 1 DC, and I also tried latest dev release), then I will proceed with more in-depth troubleshooting, log file debugging, and mock-up VM's in order to determine what is happening. Effectively for me, Samba AD is unusable unless users can change an expired password during login like they can when running on a pure Windows Server AD domain. Thanks for everyone (anyone?) and their assistance!
Possibly Parallel Threads
- Changing expired Samba AD password during Windows login
- Changing expired Samba AD password during Windows login
- Changing expired Samba AD password during Windows login
- Classic upgrade and forced password change...
- Some hint reading password expiration data...