Hi all, We had come across a strange scenario for Samba DC Master with Windows 10 clients. - Clients CAN change password if the password is not expired (via CTRL+ALT+DEL in Windows client) - Clients cannot change password at login time if the password is expired (i.e. login after the password expiry), or the user is set to change password on next login. At this point, the Windows will ask you for a password change and we did. And Windows still telling us the password is expired and keep repeating for asking password. Even tho we input an incorrect old password, the system still keep asking us for new password instead of saying the password is incorrect. Password is NOT updated, nor the last password change time is updated. Doing some deeper search, we found out that in mit_kdc.log LinuxFS.CCC-Cxxxx krb5kdc[53584](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.2.205: UNKNOWN_REASON: 4662xx@CCC for kadmin/changepw@CCC, Password has expired And this line keeps repeating as we try to change password via login on Windows. Here is our testparm: [global] apply group policies = Yes dns forwarder = 8.8.8.8 logon script = public.bat passdb backend = samba_dsdb realm = CCC.LOCAL server role = active directory domain controller workgroup = CCC rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true idmap config * : backend = tdb map acl inherit = Yes map archive = No vfs objects = dfs_samba4 acl_xattr recycle [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/ccc.local/scripts read only = No [user] path = /home/data/user/ read only = No [public] path = /home/data/public read only = No Thanks very much for your help.
Is this any different with the default Heimdal KDC?