samba - Sep 2023 - Samba AD DC: users cannot change expired passwords

On Mon, 25 Sep 2023 16:47:57 +0200
"Pluess, Tobias via samba" <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> yes I also got this message that was from Kees but signed by me. I
> did not send it. But I did send the very first message, though.
It confused me no end, can I suggest that if anyone replies to a samba
mailing list post, they just reply to the list, do not 'CC' anyone else
and do not reply to anyone else. That way, anyone who is subscribed to
the list will get the reply.
> I just checked the logs on the DC. There is nothing relevant in
> there. I cannot see any errors whatsoever.
> The strange thing is:
> 
> When the password is expired, the user can, on the Windows 10 login
> page, literally enter ANY password, and gets the message "your
> password is expired" and when the user tries to change his password,
> no matter if the correct or a random password is entered as the old
> password, the message "password expired" appears again and the
login
> is stuck in this forever loop unless "cancel" is clicked, which,
of
> course, cancels the login.
I think that the password may or may not be changing, but either way,
the other relevant attributes do not seem to be being reset. Note,
this all guess work.
> 
> So I checked every log file under /var/log/samba on my DCs (I have
> two off them, dc0 and dc1, which are rsync'ed).
> Let me know which config I shall change to increase the loglevel and
> I will do that and post the logs here.
Raising the loglevel on any Samba machine is fairly easy, you just add
the very aptly named parameter 'log level' to the global part of the
smb.conf , this should also point to a number, the higher the number,
the bigger the log. For instance, add 'log level = 3' will make Samba
log at level 3, you could try raising this number until something
possibly 'pops' out, The maximum level I would go to would be 10, but
beware, the logs at that level will be very large. You will also need
to restart your DC after adding the parameter or changing the log level.

Rowland

Hi Rowland

I went to my DC and set the samba log level to 10.
Then I rebooted the DC.
Afterwards, I went to the windows 10 machine and first logged in as a
"normal" user that has no expired password. That worked of course
well.
Then I logged out and tried to log in as a new user, that has never logged
in before, and whose account was configured as "user needs to change the
password on first login". Then I was stuck in the "password
expired" loop
as described before.
I uploaded the log.samba file to my Nextcloud

https://hb9fsx.ch/nextcloud/s/bW8zx52TaTsJ44j

as it is quite large. I marked the positions in the log where i logged in
as "######## existing user login #######" and "######## new user
with
expired password login #######" so they can be found easily.
But I believe the log is, unfortunately, not very helpful, as I cannot see
any messages about the expired passwords, I cannot even find the user names
of users who logged in, so therefore this log file is probably either not
the right one or it will be difficult to impossible to learn something
about this problem from that log. Nevertheless I wanted to share it  with
you as you still may find something in there, hopefully.

Let me know if I can help with providing further log files or doing other
experiments.

Thanks,
best
Tobias


On Mon, Sep 25, 2023 at 5:16?PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 25 Sep 2023 16:47:57 +0200
> "Pluess, Tobias via samba" <samba at lists.samba.org>
wrote:
>
> > Hi Rowland,
> >
> > yes I also got this message that was from Kees but signed by me. I
> > did not send it. But I did send the very first message, though.
>
> It confused me no end, can I suggest that if anyone replies to a samba
> mailing list post, they just reply to the list, do not 'CC' anyone
else
> and do not reply to anyone else. That way, anyone who is subscribed to
> the list will get the reply.
>
> > I just checked the logs on the DC. There is nothing relevant in
> > there. I cannot see any errors whatsoever.
> > The strange thing is:
> >
> > When the password is expired, the user can, on the Windows 10 login
> > page, literally enter ANY password, and gets the message "your
> > password is expired" and when the user tries to change his
password,
> > no matter if the correct or a random password is entered as the old
> > password, the message "password expired" appears again and
the login
> > is stuck in this forever loop unless "cancel" is clicked,
which, of
> > course, cancels the login.
>
> I think that the password may or may not be changing, but either way,
> the other relevant attributes do not seem to be being reset. Note,
> this all guess work.
>
> >
> > So I checked every log file under /var/log/samba on my DCs (I have
> > two off them, dc0 and dc1, which are rsync'ed).
> > Let me know which config I shall change to increase the loglevel and
> > I will do that and post the logs here.
>
> Raising the loglevel on any Samba machine is fairly easy, you just add
> the very aptly named parameter 'log level' to the global part of
the
> smb.conf , this should also point to a number, the higher the number,
> the bigger the log. For instance, add 'log level = 3' will make
Samba
> log at level 3, you could try raising this number until something
> possibly 'pops' out, The maximum level I would go to would be 10,
but
> beware, the logs at that level will be very large. You will also need
> to restart your DC after adding the parameter or changing the log level.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>