Patrick Goetz
2021-Oct-31 13:23 UTC
[Samba] `samba-tool user create --must-change-at-next-login my_user` doesn't appear to work on W10
Thanks, Roland. I always appreciate your help. I tried it both ways (with option before and after the new user name). Same outcome. But I figured out what was going wrong. The command line order of the option doesn't matter. I've was creating users like this: # samba-tool user create dilbert --must-change-at-next-login # samba-tool user setexpiry dilbert --noexpiry Setting the password expiration to no expiration seems to interfere with the reset password requirement. If I just create a user like this: # samba-tool user create dolbert --must-change-at-next-login or # samba-tool user create --must-change-at-next-login dulbert Then W10 demands a password change before allowing the user to log in. On the one hand I can see why this might work this way, but it's not logically correct. Requiring a change of password on first login is entirely independent of whether passwords should expire or not. On 10/31/21 04:10, Rowland Penny via samba wrote:> On Sat, 2021-10-30 at 17:32 -0500, Patrick Goetz via samba wrote: >> I created a user my_user as so: >> >> samba-tool user create --must-change-at-next-login my_user >> >> But in logging in on a domain-joined Windows 10 machine as my_user, >> it >> never asked me to change my password. I tried logging out and >> logging >> back in multiple times. >> >> Am I missing some trick? > > The usage is samba-tool user create <username> [<password>] [options] > You appear to have used: samba-tool user create [options] <username> > Not sure if this has any bearing though. Ultimately adding --must- > change-at-next-login sets the users pwdLastSet attribute to 0, so you > could check if this is happening. > > Rowland > > >
Rowland Penny
2021-Oct-31 13:35 UTC
[Samba] `samba-tool user create --must-change-at-next-login my_user` doesn't appear to work on W10
On Sun, 2021-10-31 at 08:23 -0500, Patrick Goetz via samba wrote:> Thanks, Roland. I always appreciate your help. I tried it both ways > (with option before and after the new user name). Same outcome. > > But I figured out what was going wrong. The command line order of > the > option doesn't matter. I've was creating users like this: > > # samba-tool user create dilbert --must-change-at-next-login > # samba-tool user setexpiry dilbert --noexpiry > > Setting the password expiration to no expiration seems to interfere > with > the reset password requirement. > > If I just create a user like this: > > # samba-tool user create dolbert --must-change-at-next-login > or > # samba-tool user create --must-change-at-next-login dulbert > > Then W10 demands a password change before allowing the user to log > in. > > On the one hand I can see why this might work this way, but it's not > logically correct. Requiring a change of password on first login is > entirely independent of whether passwords should expire or not.If you think it is illogical, take that up with Microsoft. You are basically saying 'Expire this users password, but never expire this users password'. Rowland