samba - Jul 2024 - Users unable to reset passwords

On Mon, 22 Jul 2024 12:09:45 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Mon, 22 Apr 2024 08:56:41 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > New related issue.
> > 
> > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90 days
> > ago, and set the 'Maximum password age' to 90 days. Today, two
of
> > the users' passwords were expired when they tried to log in this
> > morning. They got the messaage that their password was expired and
> > to change it, but when doing so they keep getting "your password
> > has expired." 
> > 
> > I've reset 3 people's passwords so far today. This worked
without
> > problem on 4.8.2. Yes, they did get the Windows notice that their
> > password was expiring in x days, but they didn't act on that.
> > 
> > Any idea how to fix this? 
> 
> It's been another 90 days and passwords are expiring. I'm back to
> investigating this issue.
> 
> 1. Most people are not getting the "your password expires in X
days"
> message on their Windows 11 workstations. I've looked in
'samba-tool
> user show <user>' and 'samba-tool domain passwordsettings
show' and
> don't see where this setting is defined.
> 
> 2. More importantly, when their password expires, they get the normal
> Windows "Your Password has expired" dialogue with
"Password", "New
> password", "Confirm password". When users fill in this info
and click
> the arrow beside "Confirm password", it simply repaints the form
and
> never lets them in. The same happens to me so I know it's not just
> user error. 
> 
> In ADUC > Users, no boxes are checked under "Account options"
and
> "Account expires" is set to 'never'. 
> 
> This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to
> Samba 4.18.9, and from Windows 10 to Windows 11 on the workstations.
> Users have never since been able to set their passwords once expired.
> I have to do so for each user with 'samba-tool user setpassword
> <user>'. This used to work fine on 4.8.2. We need to get this
fixed.
> 
> Suggestions?
> 
> Thanks --Mark
> 
> 
I wonder if this has anything to do with the AD password settings, what
does this show when run on a DC:

sudo samba-tool domain passwordsettings show

Rowland

On Mon Jul 22 12:57:03 2024 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On Mon, 22 Jul 2024 12:09:45 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Mon, 22 Apr 2024 08:56:41 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > New related issue.
> > > 
> > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about 90
days
> > > ago, and set the 'Maximum password age' to 90 days.
Today, two of
> > > the users' passwords were expired when they tried to log in
this
> > > morning. They got the messaage that their password was expired
and
> > > to change it, but when doing so they keep getting "your
password
> > > has expired." 
> > > 
> > > I've reset 3 people's passwords so far today. This worked
without
> > > problem on 4.8.2. Yes, they did get the Windows notice that their
> > > password was expiring in x days, but they didn't act on that.
> > > 
> > > Any idea how to fix this? 
> > 
> > It's been another 90 days and passwords are expiring. I'm back
to
> > investigating this issue.
> > 
> > 1. Most people are not getting the "your password expires in X
days"
> > message on their Windows 11 workstations. I've looked in
'samba-tool
> > user show <user>' and 'samba-tool domain
passwordsettings show' and
> > don't see where this setting is defined.
> > 
> > 2. More importantly, when their password expires, they get the normal
> > Windows "Your Password has expired" dialogue with
"Password", "New
> > password", "Confirm password". When users fill in this
info and click
> > the arrow beside "Confirm password", it simply repaints the
form and
> > never lets them in. The same happens to me so I know it's not just
> > user error. 
> > 
> > In ADUC > Users, no boxes are checked under "Account
options" and
> > "Account expires" is set to 'never'. 
> > 
> > This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to
> > Samba 4.18.9, and from Windows 10 to Windows 11 on the workstations.
> > Users have never since been able to set their passwords once expired.
> > I have to do so for each user with 'samba-tool user setpassword
> > <user>'. This used to work fine on 4.8.2. We need to get
this fixed.
> > 
> > Suggestions?
> > 
> > Thanks --Mark
> > 
> > 
>
> I wonder if this has anything to do with the AD password settings, what
> does this show when run on a DC:
>
> sudo samba-tool domain passwordsettings show
>
> Rowland
# sudo samba-tool domain passwordsettings show
Password information for domain 'DC=hprs,DC=local'

Password complexity: on
Store plaintext passwords: off
Password history length: 10
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 90
Account lockout duration (mins): 5
Account lockout threshold (attempts): 10
Reset account lockout after (mins): 30