On samba-bounces at lists.samba.org Thu Jul 25 16:15:45 2024 Mark Foley via
samba <samba at lists.samba.org> wrote:>
> On Mon Jul 22 13:33:05 2024 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> >
> > On Mon, 22 Jul 2024 13:06:56 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > On Mon Jul 22 12:57:03 2024 Rowland Penny via samba
> > > <samba at lists.samba.org> wrote:
> > >
> > > > On Mon, 22 Jul 2024 12:09:45 -0400
> > > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > > >
> > > > > On Mon, 22 Apr 2024 08:56:41 -0400
> > > > > > Mark Foley via samba <samba at
lists.samba.org> wrote:
> > > > > >
> > > > > > New related issue.
> > > > > >
> > > > > > I upgraded the Domain Controller from 4.8.2 to
4.18.9 about 90
> > > > > > days ago, and set the 'Maximum password
age' to 90 days. Today,
> > > > > > two of the users' passwords were expired when
they tried to log
> > > > > > in this morning. They got the messaage that their
password was
> > > > > > expired and to change it, but when doing so they
keep getting
> > > > > > "your password has expired."
> > > > > >
> > > > > > I've reset 3 people's passwords so far
today. This worked
> > > > > > without problem on 4.8.2. Yes, they did get the
Windows notice
> > > > > > that their password was expiring in x days, but
they didn't act
> > > > > > on that.
> > > > > >
> > > > > > Any idea how to fix this?
> > > > >
> > > > > It's been another 90 days and passwords are
expiring. I'm back to
> > > > > investigating this issue.
> > > > >
> > > > > 1. Most people are not getting the "your password
expires in X
> > > > > days" message on their Windows 11 workstations.
I've looked in
> > > > > 'samba-tool user show <user>' and
'samba-tool domain
> > > > > passwordsettings show' and don't see where this
setting is
> > > > > defined.
> > > > >
> > > > > 2. More importantly, when their password expires, they
get the
> > > > > normal Windows "Your Password has expired"
dialogue with
> > > > > "Password", "New password",
"Confirm password". When users fill
> > > > > in this info and click the arrow beside "Confirm
password", it
> > > > > simply repaints the form and never lets them in. The
same happens
> > > > > to me so I know it's not just user error.
> > > > >
> > > > > In ADUC > Users, no boxes are checked under
"Account options" and
> > > > > "Account expires" is set to 'never'.
> > > > >
> > > > > This is our 2nd 90-day cycle since upgrading from Samba
4.8.2 to
> > > > > Samba 4.18.9, and from Windows 10 to Windows 11 on the
> > > > > workstations. Users have never since been able to set
their
> > > > > passwords once expired. I have to do so for each user
with
> > > > > 'samba-tool user setpassword <user>'.
This used to work fine on
> > > > > 4.8.2. We need to get this fixed.
> > > > >
> > > > > Suggestions?
> > > > >
> > > > > Thanks --Mark
> > > >
> > > > I wonder if this has anything to do with the AD password
settings,
> > > > what does this show when run on a DC:
> > > >
> > > > sudo samba-tool domain passwordsettings show
> > > >
> > > > Rowland
> > >
> > > # sudo samba-tool domain passwordsettings show
> > > Password information for domain 'DC=hprs,DC=local'
> > >
> > > Password complexity: on
> > > Store plaintext passwords: off
> > > Password history length: 10
> > > Minimum password length: 7
> > > Minimum password age (days): 0
> > > Maximum password age (days): 90
> > > Account lockout duration (mins): 5
> > > Account lockout threshold (attempts): 10
> > > Reset account lockout after (mins): 30
> > >
> >
> > There doesn't seem to be anything wrong there, I wondered if the
> > minimum password age was larger than the maximum password age.
> >
> > You can stop a user being able to change their password by altering
the
> > required permission from 'allow' to 'deny', this can
be on individual
> > users or an entire OU.
> > Try checking a users Account tab and see if 'User cannot change
> > password' is checked. Not sure how you do it for an OU, but it is
> > probably something similar.
> >
> > Rowland
>
> Sorry for the delay. I manage this machine remotely and Remote Desktop does
not
> let you change an expired password, so I had to go onsite.
>
> On the ADUC dialogue for my domain user the Account options are:
>
> User must change password at next login
> User cannot change password
> Password never expires
> Store password using reversible encryption
> Account is disabled
> Smart card is required for interactive logon
> Account is sensitive and cannot be delegated
> Use only Kerberos DES encryption types for this account
> This account supports Kerberos AES 128 bit encryption
> This account supports Kerberos AES 256 bit encryption
> Do not require Kerberos preauthentication.
>
> All of these are un-checked.
>
> With samba-tool I changed Minimum password age (days): 1, which I think is
what
> you were suggesting.
>
> On ADUC, I checked "User must change password at next login",
then I tried to log
> into a Windows 11 workstation. I got the message "The password for
this account
> has expired", as expected, and a dialogue box asking me to enter and
confirm a
> new password. I did so, but it did not take the new password and kept
cycling
> back to the "The password for this account has expired" dialog.
>
> As it stands, users can change their passwords at any time, so long as
it's not
> expired or their account is not marked "User must change password at
next
> login". If a user let's his/her password expire, I have to change
it manually
> via ADUC or samba-tool.
>
> Other thoughts? I suppose this could be a Windows things, but then I would
> expect this problem to be pretty pervasive.
>
> Thanks --Mark
>
> Am 25.07.24 um 22:15 schrieb Mark Foley via samba:
>
> [deleted]
>
> I think this has been the case for some time. We also had some issues
> with this 1-2 years ago. On this list the topic pops up from time to
> time but it is never solved. I really think it is a Samba bug but nobody
> has been able to proof this.
> In the end we decided to go for longer passwords more complex and stop
> the expiry.
>
> Regards
>
> Christian
So, at least one other user on this list has reported the same problem
(Christian) and he indicates that this problem "On this list the topic pops
up
from time to time but it is never solved." So he's not the only one
besides me.
He *solved* it by setting no expiry on the passwords, which is an unacceptable
work-around, not a solution.
No one has reported that they don't have a problem with password
expirations.
It is doubtful that it's a Windows 11 problem or thousands of Windows users
would be howling. I have an associate who admin's a Windows domain, no
Samba,
and he has no such issue.
The conclusion must be that it is a Samba bug with this version. As I
mentioned, I did not have this issue with Samba 4.8.2.
So, how does one report a bug to the Samba development team?
THX --Mark