samba - Jan 2024 - Users/admin unable to reset passwords

On Wed, 2024-01-24 at 16:02 -0500, Mark Foley via samba
wrote:
> It looks like I'm having a serious problem with passwords and domain
> credentials.
> After joining the office Windows workstations as domain members to
> the new AD, Iused ADUC to set everyone's password to some value so I
> could verify their appsgot updated when logging in.  After doing
> that, I again used ADUC to check thebox requiring everyone to change
> their passsword when logging in. 
> The next day when users arrived, they got the message to change their
> password,but the system would not accept the new password.  I had to
> go back into ADUCand un-set that checkbox.  Then users could log in
> with the password I had setand change it with Ctrl-Alt-DEL. 
> As an additional experiment, I used samba-tool to set one of the
> users to havehis password expire in two days.  Which it did
> today.  He got no message leadingup to this telling him his password
> was about to expire, as used to happen, butit did expire today and
> prevented him from logging in at all, and did not prompthim to set a
> new password. 
> I went to ADUC and set his profile to never expire the password, then
> set thepassword itself to some values. He still could not log in.
> I then used samba-tool to set his password. He could not and still
> cannot login.
> What's up here? This user is now completely unable to log into his
> workstationat all, not can it be logged into remotely.  The RDC
> dialog says "credentialsfailed".  As admin I don't seem to
have the
> ability to let him in.  I amconcerned as to what will happen when the
> other users' password time limiteexpires. 
> The Windows workstations are the exact same ones that were connected
> to theprevious Samba 4.8.2 domain. All that has changed is they have
> been unjoinedthen rejoined to the new 4.8.19 domain.
Is this a Samba 4.19 domain?  Can you clarify the version?
What is in the server logs?
This is meant to work, and we do have tests for this area, but perhaps
something hasn't been covered. 
Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member
(since 2001) https://samba.orgSamba Team Lead               
https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions

On Sun Jan 28 19:28:58 2024 Andrew Bartlett <abartlet at samba.org>
wrote:
>
> On Wed, 2024-01-24 at 16:02 -0500, Mark Foley via samba wrote:
> >
> > It looks like I'm having a serious problem with passwords and
domain
> > credentials.
> > After joining the office Windows workstations as domain members to
> > the new AD, Iused ADUC to set everyone's password to some value so
I
> > could verify their appsgot updated when logging in.  After doing
> > that, I again used ADUC to check thebox requiring everyone to change
> > their passsword when logging in. 
> > The next day when users arrived, they got the message to change their
> > password,but the system would not accept the new password.  I had to
> > go back into ADUCand un-set that checkbox.  Then users could log in
> > with the password I had setand change it with Ctrl-Alt-DEL. 
> > As an additional experiment, I used samba-tool to set one of the
> > users to havehis password expire in two days.  Which it did
> > today.  He got no message leadingup to this telling him his password
> > was about to expire, as used to happen, butit did expire today and
> > prevented him from logging in at all, and did not prompthim to set a
> > new password. 
> > I went to ADUC and set his profile to never expire the password, then
> > set the password itself to some values. He still could not log in.
> > I then used samba-tool to set his password. He could not and still
> > cannot login.
> > What's up here? This user is now completely unable to log into his
> > workstationat all, not can it be logged into remotely.  The RDC
> > dialog says "credentialsfailed".  As admin I don't seem
to have the
> > ability to let him in.  I amconcerned as to what will happen when the
> > other users' password time limiteexpires. 
> > The Windows workstations are the exact same ones that were connected
> > to theprevious Samba 4.8.2 domain. All that has changed is they have
> > been unjoinedthen rejoined to the new 4.8.19 domain.
>
> Is this a Samba 4.19 domain?  Can you clarify the version?
> What is in the server logs?
> This is meant to work, and we do have tests for this area, but perhaps
> something hasn't been covered. 
> Andrew Bartlett
This is Samba 4.18.9.  I have confirmed that in ADUC if I set the user >
properties > Account to "User must change password at next login",
the user is
indeed prompted for a new password at next login, but regardless of what he
enters, he continues to be prompted to change his password. 

If I un-check "User must change password at next login" he can get in
with his
old/current password.

It looks like the act of entering the new password neither sets the new password
nor un-checks the "reset next login" box.

What server logs do you mean? Those on the DC or on the Windows domain member?
I've looked in the DC logs and see nothing, but maybe I don't know what
to look
for.

--Mark