I had a problem where one user could not login to our windows server 2012 computer. The error message that I got was:

The credentials are correct, but the host cannot log you on for another reason. Please check if your password has expired or contact your system administrator for assistance.

This was weird because I didn’t have a problem with other users. And this user was able to ssh into our linux computers and was able to login to the windows 7 computers we had in the lab.

After doing an ldapsearch on both this problem user and a working user, I found that the issue was that the problem user didn’t have a tag “sambaPwdLastSet”. I have no idea how this got deleted, but once I added it, everything was fine.

Here’s the file that I used to add this field.

[~] $ more add_passwd_set.ldif 
dn: uid=problemuser,ou=people,dc=accounting,dc=example,dc=com
changetype: modify
add: sambaPwdLastSet
sambaPwdLastSet: 1394631807

Then I just made the change with:

[~] $ ldapmodify -x -D "cn=root,dc=accounting,dc=example,dc=com" -W -Z -f add_passwd_set.ldif