The user password is expired but the user can still login on a windows client?

UCS follows two different concepts. The password expiry date in LDAP
is adjustable for each user but the password settings in samba4 have
global effect as usual in AD. That is why we can not synchronize both
settings. This raises sometimes the following question.

The user password is expired but the user can still login on a windows client?

The following possibilities could cause the Problem

  • Have you set the password expirey in samba4? You can check the settings with the following command:
samba-tool domain passwordsettings show

Password informations for domain ‘DC=sunshine,DC=local’
Password complexity: off
Store plaintext passwords: off
Password history length: 3
Minimum password length: 6
Minimum password age (days): 0
Maximum password age (days): 0
Account lockout duration (mins): 0
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

If no maximum password age is set in samba but in OpenLDAP the password expiry interval is set, some authentications-routines will not work, after the passsword is expired but the login on windows still works.

  • Have you recently changed the password expiry interval in LDAP? You can check the settings with the following command:

udm policies/pwhistory list
DN: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=sunshine,dc=local
ARG: None
ldapFilter: None
name: default-settings
length: 3
expiryInterval: 70
pwQualityCheck: None
pwLength:

Samba recognizes these changes immediately when you increase the password expiry interval. In LDAP the expiry date is calculated with the last value, since the user changed his password.
Because of this different behaviour in LDAP the password is already expired and the user is ask to change his password in the UMC, but Windows won’t ask for a password change.

See also:

Mastodon