Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Samba4 Users can not change their password using ctrl + alt + del

1,032 views
Skip to first unread message

Nguyen Trung Hieu

unread,
Mar 17, 2014, 3:10:02 PM3/17/14
to
Dear Samba team

In my lab: Windows XP/7/8 joined Samba4.1 AD DC OK!

I don't change any password policy (all are default!)

But when users logged on sucessfully, they *pressed ctrl + alt + del* in
order to change their passwords (new password included over 8 characters,
complexity...), but they failed

I also read this link:

https://lists.samba.org/archive/samba/2010-September/158171.html

Could you please help me?

Thanks so much!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Andrew Bartlett

unread,
Mar 17, 2014, 11:00:02 PM3/17/14
to
On Sun, 2014-03-16 at 08:54 +0700, Nguyen Trung Hieu wrote:
> Dear Samba team
>
> In my lab: Windows XP/7/8 joined Samba4.1 AD DC OK!
>
> I don't change any password policy (all are default!)
>
> But when users logged on sucessfully, they *pressed ctrl + alt + del* in
> order to change their passwords (new password included over 8 characters,
> complexity...), but they failed
>
> I also read this link:
>
> https://lists.samba.org/archive/samba/2010-September/158171.html
>
> Could you please help me?

What errors are shown on the client and in the server logs?

Andrew Bartlett


--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

Günter Kukkukk

unread,
Mar 18, 2014, 12:20:01 AM3/18/14
to
Am 18.03.2014 03:52, schrieb Andrew Bartlett:
> On Sun, 2014-03-16 at 08:54 +0700, Nguyen Trung Hieu wrote:
>> Dear Samba team
>>
>> In my lab: Windows XP/7/8 joined Samba4.1 AD DC OK!
>>
>> I don't change any password policy (all are default!)
>>
>> But when users logged on sucessfully, they *pressed ctrl + alt + del* in
>> order to change their passwords (new password included over 8 characters,
>> complexity...), but they failed
>>
>> I also read this link:
>>
>> https://lists.samba.org/archive/samba/2010-September/158171.html
>>
>> Could you please help me?
>
> What errors are shown on the client and in the server logs?
>
> Andrew Bartlett
>
>

when i test that here with a win7 ultimate box, i get on the samba side:

kpasswdd: Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed.

in kpasswdd.c -> kpasswd_make_pwchange_reply()
not all SAM_PWD_* enums are tested, so the switch/default case is taken.

Sorry, have no time to dig deeper with this one.

Cheers, Günter

--

Michał Półrolniczak

unread,
Mar 18, 2014, 2:40:02 AM3/18/14
to
we having same problem but in our case, client can change password 24h
after admin set password for that account (and didnt check "user need to
change password), even if password policy is set to 0 as minimum days
for password.

vikas

unread,
Mar 24, 2014, 4:50:03 AM3/24/14
to
Hi team !!

samba=4.1.5 AD DC
os=centos 6.3 64bit

Client= Windows 7 ultimate 32bit

User cannot change password using clrl + alt + del after login when they
try to change they get *this <http://tinyurl.com/o683lr3>* unable to
update the password....*

samba-tool domain passwordsettings show

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 5
Minimum password age (days): 30
Maximum password age (days): 42

smb.conf
# Global parameters
[global]
workgroup = IK
realm = IK.LOCAL
netbios name = DC
server role = active directory domain controller
dns forwarder = 192.168.1.1
idmap_ldb:use rfc2307 = yes
log file = /var/log/samba/log.%u
log level = 3
printing = bsd
printcap name = /dev/null
syslog = 0
# include = /usr/local/samba/etc/smb.conf.client-%I
........truncated................
*
also i have waited 24hrs as mention in previous thread

there are no log activity when user is trying to change password

user can change password when we use "use can change the password at
next logon " using any kind of password like lee@321 lee@123 which
doesn't throw any complexity error...


regards
vikas

Michał Półrolniczak

unread,
Mar 24, 2014, 9:30:02 AM3/24/14
to
Did you try to change password after full 24h?
In our case,even if the GPO was set to minimum age of password to 0,
some user had to wait 24h till first password change

Michał Półrolniczak

unread,
Mar 24, 2014, 10:00:01 AM3/24/14
to
we are creating users without checked of you must change password on
next logon.
Then, when reseting/setting new password we dont check need to change
password.
Then some user can change they password others need to wait 24h.

vikas

unread,
Mar 24, 2014, 10:00:01 AM3/24/14
to
hi..

just to avoid any confusion i created a user with name demo1 and kept
"uses must change password at next login" and then i login with demo
which prompted to change password which got successfully.
after 50 hrs then i checked but still not able to change

can you just tell me what steps you did to create user ? like did you
kept check on "uses must change password at next login" and what is your
password settings ? so that i can resemble the same.

regards.
vikas

Nguyen Trung Hieu

unread,
Mar 24, 2014, 12:10:03 PM3/24/14
to
Dear all

Sorry for late, my log /var/log/messages, /var/log/samba/log.samba show
nothing

I don't know how to debug, I 'm sorry!

I also test some cases other

1. Using RSAT on Win7, Administrator reset password (and also checked: User
must change password at next logon) user u01

On other PC

test case 01:

u01 log off (1st) and logon --> u01 still can using old password --> not OK
u01 log off again (2nd) --> u01 can not using old password, must be using
new reseted password

test case 02:

u01 run command gpupdate /force and log off (1st), u01 still can using old
password --> not OK

---------------------------------------------

in test case 01 + 02:

restart PC (1st), u01 must be using new reseted password --> OK

Could you please help me troubleshoot this problem?

Thanks so much!

Nguyen Trung Hieu

unread,
Mar 24, 2014, 12:10:04 PM3/24/14
to
The same problem is disable an account

By the way, I know RHEL 7 also debug samba4 for their product at this link:

https://bugzilla.redhat.com/buglist.cgi?component=samba&product=Red%20Hat%20Enterprise%20Linux%207

Is there collaborate between samba team and red hat team for bug fixed?

I think it will help samba better

Thanks all

vikas

unread,
Apr 1, 2014, 12:30:03 PM4/1/14
to
Hi team,

For now it seem issue is SOLVED

Samba 4.1.5
Centos 6.3 64bit

Compile using Samba How/To wiki

on windows clients can change password only if the settings are like below

# samba-tool domain passwordsettings show
Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 5
* Minimum password age (days): 0 # if min age is set to 0 user can
change password easily*
Maximum password age (days): 42

# samba-tool domain passwordsettings show
Password complexity: off
Store plaintext passwords: off
Password history length: 24
Minimum password length: 5
* Minimum password age (days): 30 # if min age is set to 30 user
can cannot change password even using toughest password*
Maximum password age (days): 42

Also like mention before, whether uses is created just now or 24 hrs ago
it does not matter all can change password if min-age set to 0.

thanks @michal
0 new messages