On Mon, 22 Jul 2024 13:06:56 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Mon Jul 22 12:57:03 2024 Rowland Penny via samba
> <samba at lists.samba.org> wrote:
>
> > On Mon, 22 Jul 2024 12:09:45 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > On Mon, 22 Apr 2024 08:56:41 -0400
> > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > >
> > > > New related issue.
> > > >
> > > > I upgraded the Domain Controller from 4.8.2 to 4.18.9 about
90
> > > > days ago, and set the 'Maximum password age' to 90
days. Today,
> > > > two of the users' passwords were expired when they tried
to log
> > > > in this morning. They got the messaage that their password
was
> > > > expired and to change it, but when doing so they keep
getting
> > > > "your password has expired."
> > > >
> > > > I've reset 3 people's passwords so far today. This
worked
> > > > without problem on 4.8.2. Yes, they did get the Windows
notice
> > > > that their password was expiring in x days, but they
didn't act
> > > > on that.
> > > >
> > > > Any idea how to fix this?
> > >
> > > It's been another 90 days and passwords are expiring. I'm
back to
> > > investigating this issue.
> > >
> > > 1. Most people are not getting the "your password expires in
X
> > > days" message on their Windows 11 workstations. I've
looked in
> > > 'samba-tool user show <user>' and 'samba-tool
domain
> > > passwordsettings show' and don't see where this setting
is
> > > defined.
> > >
> > > 2. More importantly, when their password expires, they get the
> > > normal Windows "Your Password has expired" dialogue
with
> > > "Password", "New password", "Confirm
password". When users fill
> > > in this info and click the arrow beside "Confirm
password", it
> > > simply repaints the form and never lets them in. The same happens
> > > to me so I know it's not just user error.
> > >
> > > In ADUC > Users, no boxes are checked under "Account
options" and
> > > "Account expires" is set to 'never'.
> > >
> > > This is our 2nd 90-day cycle since upgrading from Samba 4.8.2 to
> > > Samba 4.18.9, and from Windows 10 to Windows 11 on the
> > > workstations. Users have never since been able to set their
> > > passwords once expired. I have to do so for each user with
> > > 'samba-tool user setpassword <user>'. This used to
work fine on
> > > 4.8.2. We need to get this fixed.
> > >
> > > Suggestions?
> > >
> > > Thanks --Mark
> > >
> > >
> >
> > I wonder if this has anything to do with the AD password settings,
> > what does this show when run on a DC:
> >
> > sudo samba-tool domain passwordsettings show
> >
> > Rowland
>
> # sudo samba-tool domain passwordsettings show
> Password information for domain 'DC=hprs,DC=local'
>
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 10
> Minimum password length: 7
> Minimum password age (days): 0
> Maximum password age (days): 90
> Account lockout duration (mins): 5
> Account lockout threshold (attempts): 10
> Reset account lockout after (mins): 30
>
There doesn't seem to be anything wrong there, I wondered if the
minimum password age was larger than the maximum password age.
You can stop a user being able to change their password by altering the
required permission from 'allow' to 'deny', this can be on
individual
users or an entire OU.
Try checking a users Account tab and see if 'User cannot change
password' is checked. Not sure how you do it for an OU, but it is
probably something similar.
Rowland