Pluess, Tobias
2023-Sep-25 09:54 UTC
[Samba] Samba AD DC: users cannot change expired passwords
Hi all, I am running a Samba AD DC (version 4.18.6). It basically works very well. However when testing, I found the following issue: I create a new user account in AD, provide an initial password and set "user must change the password at the next login". I have only a Windows 10 machine to test, so I am going to the Windows 10 machine and try to login with the newly created user account and initial password. Windows then correctly display "the password is expired" and provides a dialog to enter the new password. However when the new password is entered and confirmed with "OK", I get again the message "the password is expired". No matter what, I cannot get around this message and the newly created user is never able to log in. Further, what is even more strange is, that I can even get the message about the expired password when I enter something completely different than the initial password. I can essentially enter anything, even a blank password, and get the message "the password is expired" and I am never able to change it. Only when I log in as the domain admin, I can reset the user's password. I already changed password history and min-password-age and so on to 0, but it still does not yet work. However, luckily, users are able to change their own password using ctrl+alt+delete. However, why does it not work during login? I have already seen other people had similar issues on Windows 10, but I didn't find out if anybody ever found a solution to this problem. I am happy for any hints. Thanks, best Tobias
Kees van Vloten
2023-Sep-25 11:19 UTC
[Samba] Samba AD DC: users cannot change expired passwords
Op 25-09-2023 om 11:54 schreef Pluess, Tobias via samba:> Hi all, > I am running a Samba AD DC (version 4.18.6). It basically works very well. > However when testing, I found the following issue: > > I create a new user account in AD, provide an initial password and set > "user must change the password at the next login". > I have only a Windows 10 machine to test, so I am going to the Windows 10 > machine and try to login with the newly created user account and initial > password. Windows then correctly display "the password is expired" and > provides a dialog to enter the new password. However when the new password > is entered and confirmed with "OK", I get again the message "the password > is expired". No matter what, I cannot get around this message and the newly > created user is never able to log in. > Further, what is even more strange is, that I can even get the message > about the expired password when I enter something completely different than > the initial password. I can essentially enter anything, even a blank > password, and get the message "the password is expired" and I am never > able to change it. > > Only when I log in as the domain admin, I can reset the user's password. > > I already changed password history and min-password-age and so on to 0, but > it still does not yet work. However, luckily, users are able to change > their own password using ctrl+alt+delete. However, why does it not work > during login? > > I have already seen other people had similar issues on Windows 10, but I > didn't find out if anybody ever found a solution to this problem. > > I am happy for any hints. > > Thanks, > best > TobiasI have experienced exactly the same issue (also on 4.18.6). Even with kinit on Linux you cannot change an expired password. - Kees.