samba - Sep 2018 - Users cannot change their passwords

Currently running multiple active directory domain controllers on OpenSUSE Leap
15 with Samba 4.7.8

I'm running into an issue where users cannot change their own passwords. On
a domain joined Windows laptop logged in as Administrator, trying to change the
password results in an error: The user name or password is incorrect, Try again.
At the same time in the systemd journal for samba-ad-dc, the following error is
displayed:
Sep 24 20:04:47 samba[24287]: [2018/09/24 20:04:47.142474,  0]
../source4/kdc/kpasswd-service.c:244(kpasswd_process)
Sep 24 20:04:47 samba[24287]:   kpasswd_process: gensec_unwrap failed -
NT_STATUS_ACCESS_DENIED

My smb.conf is fairly ordinary.
# Global parameters
[global]
       dns forwarder = 8.8.8.8
       interfaces = tun0 lo
       netbios name =***********
       realm = *****.LOCAL
       server role = active directory domain controller
       workgroup = BWLCS
       idmap_ldb:use rfc2307 = yes

[netlogon]
       path = /var/lib/samba/sysvol/*****.local/scripts
       read only = No

[sysvol]
       path = /var/lib/samba/sysvol
       read only = No

Torin Woltjer
 
Grand Dial Communications - A ZK Tech Inc. Company
 
616.776.1066 ext. 2006
www.granddial.com

On Mon, 24 Sep 2018 20:23:06 GMT
Torin Woltjer via samba <samba at lists.samba.org> wrote:
> Currently running multiple active directory domain controllers on
> OpenSUSE Leap 15 with Samba 4.7.8
> 
> I'm running into an issue where users cannot change their own
> passwords. On a domain joined Windows laptop logged in as
> Administrator, trying to change the password results in an error: The
> user name or password is incorrect, Try again. At the same time in
> the systemd journal for samba-ad-dc, the following error is
> displayed: Sep 24 20:04:47 samba[24287]: [2018/09/24
> 20:04:47.142474,
> 0] ../source4/kdc/kpasswd-service.c:244(kpasswd_process) Sep 24
> 20:04:47 samba[24287]:   kpasswd_process: gensec_unwrap failed -
> NT_STATUS_ACCESS_DENIED
> 
> My smb.conf is fairly ordinary.
> # Global parameters
> [global]
>        dns forwarder = 8.8.8.8
>        interfaces = tun0 lo
>        netbios name =***********
>        realm = *****.LOCAL
>        server role = active directory domain controller
>        workgroup = BWLCS
>        idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>        path = /var/lib/samba/sysvol/*****.local/scripts
>        read only = No
> 
> [sysvol]
>        path = /var/lib/samba/sysvol
>        read only = No
> 
> Torin Woltjer
>  
> Grand Dial Communications - A ZK Tech Inc. Company
>  
> 616.776.1066 ext. 2006
> www.granddial.com
> 
> 
Is this with MIT as the kdc ?
If so, it seems to be a known bug.

If it is MIT and these are DC's in production, then can I suggest you
migrate to Heimdal instead of MIT, the use of MIT is experimental.

Rowland