On Thu Apr 25 05:02:39 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Mon, 22 Apr 2024 08:56:41 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > New related issue. > > > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days > > ago, and set the 'Maximum password age' to 90 days. Today, two of the > > users' passwords were expired when they tried to log in this morning. > > They got the messaage that their password was expired and to change > > it, but when doing so they keep getting "your password has expired." > > > > I've reset 3 people's passwords so far today. This worked without > > problem on 4.8.2. Yes, they did get the Windows notice that their > > password was expiring in x days, but they didn't act on that. > > > > Any idea how to fix this? > > > > > > When setting a users password The basic command is > 'samba-tool setpassword <username>', to which you can add the new > password with '--newpassword=passw0rd'. If you do not supply a > password, you will be prompted for it (twice). You can also add > '--must-change-at-next-login', which is supposed to make the user > change their password at the next logon. > > How does the '--must-change-at-next-login' switch work ? > If the switch is set, it just sets the users 'pwdLastSet' attribute to > '0', at which point, the Windows code should kick in and prompt the > user to change their password, then set the users 'unicodePwd' > attribute to basically a base64 hash of the supplied password and > resets the users 'pwdLastSet' attribute to the date and time that the > password was changed. > > I suggest you set a test user to change their password at next login > and then check the users 'pwdLastSet' attribute, it should contain '0'. > Next, attempt to logon as the user and when prompted, change the > password, if this works, OK, but if not, check the users 'pwdLastSet' > attribute again, what does it contain now ? > > RowlandI just had another user with an expired password who could not reset his password. He got a notification on his Windows 11 workstation last week that his password was expiring, but he forgot to change it. When he came in this morning he got a notice when trying to log in: "The password for this account has expired." Clicking "OK" prompted him to enter his current/expired password, then a new password, then confirm the new password. After doing this he again got the message, "The password for this account has expired." In short, he could not reset his password. He tried several times. The following is his pdbedit info from the DC: # pdbedit -u johnd -v Unix username: johnd NT username: Account Flags: [U ] User SID: S-1-5-21-1179323223-1906255692-291620936-1127 Primary Group SID: S-1-5-21-1179323223-1906255692-291620936-513 Full Name: John Doe Home Directory: HomeDir Drive: (null) Logon Script: Profile Path: Domain: Account desc: Operations Manager Workstations: Munged dial: Logon time: Fri, 26 Apr 2024 12:52:06 EDT Logoff time: 0 Kickoff time: Wed, 13 Sep 30828 22:48:05 EDT Password last set: Mon, 29 Jan 2024 14:02:07 EST Password can change: Mon, 29 Jan 2024 14:02:07 EST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF I did not find your mentioned 'pwdLastSet' specified as such, but I assume that is the same as 'Password last set' in the above list. Very curious, 'Password must change' is set to "Never". I also checked ADUC for this user on the Windows admin host and it is also set to 'Account expires' "Never". So, why is he a) being notified several days ahead to change his password and b) being required to change his password? Most importantly, why is it not accepting his new password change? This never happened the previous Samba 4.8.2 DC. I was able to change his password with 'samba-tool user setpassword', and he was then able to change it again once he logged in. --Mark
On Mon, 29 Apr 2024 10:35:49 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> On Thu Apr 25 05:02:39 2024 Rowland Penny via samba > <samba at lists.samba.org> wrote: > > > > On Mon, 22 Apr 2024 08:56:41 -0400 > > Mark Foley via samba <samba at lists.samba.org> wrote: > > > > > New related issue. > > > > > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 > > > days ago, and set the 'Maximum password age' to 90 days. Today, > > > two of the users' passwords were expired when they tried to log > > > in this morning. They got the messaage that their password was > > > expired and to change it, but when doing so they keep getting > > > "your password has expired." > > > > > > I've reset 3 people's passwords so far today. This worked without > > > problem on 4.8.2. Yes, they did get the Windows notice that their > > > password was expiring in x days, but they didn't act on that. > > > > > > Any idea how to fix this? > > > > > > > > > > When setting a users password The basic command is > > 'samba-tool setpassword <username>', to which you can add the new > > password with '--newpassword=passw0rd'. If you do not supply a > > password, you will be prompted for it (twice). You can also add > > '--must-change-at-next-login', which is supposed to make the user > > change their password at the next logon. > > > > How does the '--must-change-at-next-login' switch work ? > > If the switch is set, it just sets the users 'pwdLastSet' attribute > > to '0', at which point, the Windows code should kick in and prompt > > the user to change their password, then set the users 'unicodePwd' > > attribute to basically a base64 hash of the supplied password and > > resets the users 'pwdLastSet' attribute to the date and time that > > the password was changed. > > > > I suggest you set a test user to change their password at next login > > and then check the users 'pwdLastSet' attribute, it should contain > > '0'. Next, attempt to logon as the user and when prompted, change > > the password, if this works, OK, but if not, check the users > > 'pwdLastSet' attribute again, what does it contain now ? > > > > Rowland > > I just had another user with an expired password who could not reset > his password. He got a notification on his Windows 11 workstation > last week that his password was expiring, but he forgot to change it. > > When he came in this morning he got a notice when trying to log in: > "The password for this account has expired." Clicking "OK" prompted > him to enter his current/expired password, then a new password, then > confirm the new password. After doing this he again got the message, > "The password for this account has expired." In short, he could not > reset his password. He tried several times. > > The following is his pdbedit info from the DC: > > # pdbedit -u johnd -v > Unix username: johnd > NT username: > Account Flags: [U ] > User SID: S-1-5-21-1179323223-1906255692-291620936-1127 > Primary Group SID: S-1-5-21-1179323223-1906255692-291620936-513 > Full Name: John Doe > Home Directory: > HomeDir Drive: (null) > Logon Script: > Profile Path: > Domain: > Account desc: Operations Manager > Workstations: > Munged dial: > Logon time: Fri, 26 Apr 2024 12:52:06 EDT > Logoff time: 0 > Kickoff time: Wed, 13 Sep 30828 22:48:05 EDT > Password last set: Mon, 29 Jan 2024 14:02:07 EST > Password can change: Mon, 29 Jan 2024 14:02:07 EST > Password must change: never > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > I did not find your mentioned 'pwdLastSet' specified as such, but I > assume that is the same as 'Password last set' in the above list.You will not find it using pdbedit, you will need to use ldapsearch, ldbedit or ldbsearch to find it, it is an AD attribute.> > Very curious, 'Password must change' is set to "Never". I also > checked ADUC for this user on the Windows admin host and it is also > set to 'Account expires' "Never".AD uses 'pwdLastSet' along with whatever has been set as the domain maximum password age to calculate when the password must be changed, this appears to be working, what doesn't appear to be working is the actual password change. If you set 'user must change password at next logon', then 'pwdLastSet' is set to 0, this is what forces the AD user to change their password. To get the password settings on a DC, run: sudo samba-tool domain passwordsettings show -Uadministrator How are the users changing their password, on what OS and version. Rowland
On Mon, 22 Apr 2024 08:56:41 -0400> Mark Foley via samba <samba at lists.samba.org> wrote: > > New related issue. > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days > ago, and set the 'Maximum password age' to 90 days. Today, two of the > users' passwords were expired when they tried to log in this morning. > They got the messaage that their password was expired and to change > it, but when doing so they keep getting "your password has expired." > > I've reset 3 people's passwords so far today. This worked without > problem on 4.8.2. Yes, they did get the Windows notice that their > password was expiring in x days, but they didn't act on that. > > Any idea how to fix this?It's been another 90 days and passwords are expiring. I'm back to investigating this issue. 1. Most people are not getting the "your password expires in X days" message on their Windows 11 workstations. I've looked in 'samba-tool user show <user>' and 'samba-tool domain passwordsettings show' and don't see where this setting is defined. 2. More importantly, when their password expires, they get the normal Windows "Your Password has expired" dialogue with "Password", "New password", "Confirm password". When users fill in this info and click the arrow beside "Confirm password", it simply repaints the form and never lets them in. The same happens to me so I know it's not just user error. In ADUC > Users, no boxes are checked under "Account options" and "Account expires" is set to 'never'. This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to Samba 4.18.9, and from Windows 10 to Windows 11 on the workstations. Users have never since been able to set their passwords once expired. I have to do so for each user with 'samba-tool user setpassword <user>'. This used to work fine on 4.8.2. We need to get this fixed. Suggestions? Thanks --Mark