Re: [Samba] Changing expired Samba AD password during Windows login
- Date: Wed, 17 Jan 2018 22:48:29 -0500
- From: Ken McDonald via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Changing expired Samba AD password during Windows login
On win8.1 & srv2012r2 it is "The password for this account has expired"
On 01/17/2018 10:44 PM, Luke Barone wrote:
(Remember to reply all)
What error message, *specifically*, comes up when the user with the
expired password attempts to change it?
On Jan 17, 2018 7:36 PM, "Ken McDonald" <ken@xxxxxxxxxxxxxxx> wrote:
To test, I use a desktop OS (win8.1) with rsat installed to create
a new user with ADUC and set the "user must change password at
next logon" OR for an existing user, with ADUC under "Account"
tab. check "user must change password at next logon."
Then, when the test user actually logs in to a Windows OS (I've
tested win8.1 and srv2012r2), they get a message like "your
password has expired and must be changed." When "ok" is clicked,
they get a prompt to enter old password, and new password x2.
Entering all of those correctly, including complexity
requirements, does not work and that is my problem. They get an
immediate repeat of the "the password for this account has
expired" and the process starts all over.
However, if for a non-expired user, they log in successfully and
choose cntl-alt-del they can successfully change their password.
On 01/17/2018 10:27 PM, Luke Barone wrote:
Are you trying to reset with the rsat tools, or the command line?
What issue is happening when you try to set it?
On Jan 17, 2018 7:14 PM, "Ken McDonald via samba"
<samba@xxxxxxxxxxxxxxx <mailto:samba@xxxxxxxxxxxxxxx>> wrote:
I'm running a Samba AD 4.7.4 and cannot set a new password
for a user with an expired password during login from a
Windows PC. Changing a password from inside a login with
cntl-alt-del "change password" works ok.
I've already decreased the minimum password age to 0
samba-tool domain passwordsettings show
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
My Samba install is brand new and the Windows PC is a clean
test PC. I'm running on Ubuntu 16.04.3 and had to compile
from source Samba 4.7.4 after compiling from source krb5
1.15.2. All other build dependencies came from default Ubuntu
# Global parameters
dns forwarder = xxx.xxx.xxx.xxx
netbios name = DCNAME
realm = DOMAINNAME.DOMAIN.COM
server role = active directory domain controller
workgroup = DOMAINNAME
idmap_ldb:use rfc2307 = yes
log level = 5
read only = No
path = /usr/local/samba/var/locks/sysvol
read only = No
To unsubscribe from this list go to the following URL and
To unsubscribe from this list go to the following URL and read the