> if you enable the ldap/(opendirectory) option to "require user to change > password on next login" the client is unable to connect.
FreeRADIUS doesn't support password changes via MSCHAP. Historically, Samba didn't even support it until a couple of years ago. I believe support for this functionality was added to Samba 3.0.24 using a new helper protocol called ntlm-change-password-1. I posted something to the list asking if there was interest quite a while ago. Implementing this new helper protocol is not a trivial change to FreeRADIUS. Unfortunately, I haven't had enough free time to devote to implementing it yet. If you have the time to create the patch, I'll be one of the testers ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html