Web lists-archives.com

Re: [Samba] Changing expired Samba AD password during Windows login




On win8.1 & srv2012r2 it is "The password for this account has expired"


On 01/17/2018 10:44 PM, Luke Barone wrote:
(Remember to reply all)

What error message, *specifically*, comes up when the user with the expired password attempts to change it?

On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken@xxxxxxxxxxxxxxx> wrote:

    To test, I use a desktop OS (win8.1) with rsat installed to create
    a new user with ADUC and set the "user must change password at
    next logon" OR for an existing user, with ADUC under "Account"
    tab. check "user must change password at next logon."

    Then, when the test user actually logs in to a Windows OS (I've
    tested win8.1 and srv2012r2), they get a message like "your
    password has expired and must be changed." When "ok" is clicked,
    they get a prompt to enter old password, and new password x2.
    Entering all of those correctly, including complexity
    requirements, does not work and that is my problem. They get an
    immediate repeat of the "the password for this account has
    expired" and the process starts all over.

    However, if for a non-expired user, they log in successfully and
    choose cntl-alt-del they can successfully change their password.


    On 01/17/2018 10:27 PM, Luke Barone wrote:
    Are you trying to reset with the rsat tools, or the command line?
    What issue is happening when you try to set it?

    On Jan 17, 2018 7:14 PM, "Ken McDonald via samba"
    <samba@xxxxxxxxxxxxxxx <mailto:samba@xxxxxxxxxxxxxxx>> wrote:

        I'm running a Samba AD 4.7.4 and cannot set a new password
        for a user with an expired password during login from a
        Windows PC. Changing a password from inside a login with
        cntl-alt-del "change password" works ok.

        I've already decreased the minimum password age to 0

        samba-tool domain passwordsettings show

        Password complexity: on
        Store plaintext passwords: off
        Password history length: 24
        Minimum password length: 7
        Minimum password age (days): 0
        Maximum password age (days): 42
        Account lockout duration (mins): 30
        Account lockout threshold (attempts): 0
        Reset account lockout after (mins): 30

        My Samba install is brand new and the Windows PC is a clean
        test PC. I'm running on Ubuntu 16.04.3 and had to compile
        from source Samba 4.7.4 after compiling from source krb5
        1.15.2. All other build dependencies came from default Ubuntu
        16.04.3 repos

        smb.conf

        # Global parameters
        [global]
                dns forwarder = xxx.xxx.xxx.xxx
                netbios name = DCNAME
                realm = DOMAINNAME.DOMAIN.COM
        <http://DOMAINNAME.DOMAIN.COM>
                server role = active directory domain controller
                workgroup = DOMAINNAME
                idmap_ldb:use rfc2307 = yes

                log level = 5

        [netlogon]
                path =
        /usr/local/samba/var/locks/sysvol/domainname.domain.com/scripts
        <http://domainname.domain.com/scripts>
                read only = No

        [sysvol]
                path = /usr/local/samba/var/locks/sysvol
                read only = No


-- To unsubscribe from this list go to the following URL and
        read the
        instructions: https://lists.samba.org/mailman/options/samba
        <https://lists.samba.org/mailman/options/samba>



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba