Philippe LeCavalier
2021-Nov-01 14:30 UTC
[Samba] Password policy for user-managed passwords
On Mon, Nov 1, 2021 at 10:10 AM mj via samba <samba at lists.samba.org> wrote:> Perhaps your issue is described here: > > > There are two possible ways to modify the unicodePwd attribute. The > > first is similar to a normal user change password operation. In this > > case, the modify request must contain both a delete and an add > > operation. The delete operation must contain the current password > > with quotes around it. The add operation must contain the desired new > > password with quotes around it. > > > > The second way to modify this attribute is analogous to an > > administrator resetting a password for a user. In order to do this, > > the client must bind as a user with sufficient permissions to modify > > another user's password. This modify request should contain a single > > replace operation with the new desired password surrounded by quotes. > > If the client has sufficient permissions, this password becomes the > > new password, regardless of what the old password was. > > Read more here: > > https://docs.microsoft.com/en-us/troubleshoot/windows/win32/change-windows-active-directory-user-password > > MJ >If that were to be the case a newly created account would experience the same issue but it doesn't. New users can CTRL+ALT+DEL and change their passwords. I wonder if it might have to do with the particular user having the setexpiry to 0? I'll try setting it to 90 and see if she can change it.
Philippe LeCavalier
2021-Nov-01 16:34 UTC
[Samba] Password policy for user-managed passwords
On Mon, Nov 1, 2021 at 10:30 AM Philippe LeCavalier <support at plecavalier.com> wrote:> On Mon, Nov 1, 2021 at 10:10 AM mj via samba <samba at lists.samba.org> > wrote: > >> Perhaps your issue is described here: >> >> > There are two possible ways to modify the unicodePwd attribute. The >> > first is similar to a normal user change password operation. In this >> > case, the modify request must contain both a delete and an add >> > operation. The delete operation must contain the current password >> > with quotes around it. The add operation must contain the desired new >> > password with quotes around it. >> > >> > The second way to modify this attribute is analogous to an >> > administrator resetting a password for a user. In order to do this, >> > the client must bind as a user with sufficient permissions to modify >> > another user's password. This modify request should contain a single >> > replace operation with the new desired password surrounded by quotes. >> > If the client has sufficient permissions, this password becomes the >> > new password, regardless of what the old password was. >> >> Read more here: >> >> https://docs.microsoft.com/en-us/troubleshoot/windows/win32/change-windows-active-directory-user-password >> >> MJ >> > If that were to be the case a newly created account would experience the > same issue but it doesn't. New users can CTRL+ALT+DEL and change their > passwords. I wonder if it might have to do with the particular user having > the setexpiry to 0? I'll try setting it to 90 and see if she can change it. >Now that I think of it more, I may have the issue but I need help getting to the solution. This user account was most likely created using the GUI (RSAT) and the 'user connect change password' bit set. Whenever possible I use samba-tool and have found that I haven't even touched RSAT for quite a while. If there is no way to revert that setting via CLI then I'll have to get back into RSAT. So my question now is, can I change that setting in samba-tool or some other CLI-based way?