Dec 212021

Note to self:

If a user cannot change his password on a Samba AD Domain from a Windows (10) computer getting the following error message:

Check that the user didn’t already change the password on the same day because the default setting for minimum password age is 1 (day). To change that setting, use samba-tool:

root:/root# samba-tool domain passwordsettings set --min-pwd-age=0
Minimum password age changed!
All changes applied successfully!

Note that Samba apparently does not support changing this setting (and other password policy settings) with the Windows Group Policy Editor.

To check these settings, also use the samba-tool:

root:/root# samba-tool domain passwordsettings show
Password information for domain 'DC=ad,DC=example,DC=com'

Password complexity: off
Store plaintext passwords: off
Password history length: 0
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

(Note that the above are not my actual password settings in a production environment but rather test settings to find out which settings caused the problem.)

 Posted by on 2021-12-21 at 16:59