Bug 14630 - User cannot change password after expired. Windows client keep saying User password is expired, but just can't change or update the password change time
Summary: User cannot change password after expired. Windows client keep saying User pa...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.12.11
Hardware: x64 Windows 10
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2021-02-03 05:50 UTC by Jason Chan
Modified: 2021-02-03 07:56 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jason Chan 2021-02-03 05:50:34 UTC
Hi all,
We had come across a strange scenario for Samba DC Master with Windows 10 clients. 

 - Clients CAN change password if the password is not expired (via CTRL+ALT+DEL in Windows client)
 - Clients cannot change password at login time if the password is expired (i.e. login after the password expiry), or the user is set to change password on next login. At this point, the Windows will ask you for a password change and we did. And Windows still telling us the password is expired and keep repeating for asking password. Even tho we input an incorrect old password, the system still keep asking us for new password instead of saying the password is incorrect. Password is NOT updated, nor the last password change time is updated.

Doing some deeper search, we found out that in mit_kdc.log

LinuxFS.CCC-Cxxxx krb5kdc[53584](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) UNKNOWN_REASON: 4662xx@CCC for kadmin/changepw@CCC, Password has expired

And this line keeps repeating as we try to change password via login on Windows.

Here is our testparm:
        apply group policies = Yes
        dns forwarder =
        logon script = public.bat
        passdb backend = samba_dsdb
        realm = CCC.LOCAL
        server role = active directory domain controller
        workgroup = CCC
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap config * : backend = tdb
        map acl inherit = Yes
        map archive = No
        vfs objects = dfs_samba4 acl_xattr recycle

        path = /var/lib/samba/sysvol
        read only = No

        path = /var/lib/samba/sysvol/ccc.local/scripts
        read only = No

        path = /home/data/user/
        read only = No

        path = /home/data/public
        read only = No

Thanks very much for your help.
Comment 1 Andrew Bartlett 2021-02-03 07:56:06 UTC
Is this any different with the default Heimdal KDC?