[Samba] Samba AD changing a user's password as non-root user

Rowland Penny rowlandpenny at googlemail.com
Wed Apr 15 07:44:14 MDT 2015 

On 14/04/15 16:30, Roel van Meer wrote:
> Hi!
>
> I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a 
> way to change the password of a user from the command line, as a 
> non-root user.
>
> I know I can use 'smbpasswd', 'samba-tool user setpassword', or 
> 'samba-tool user password', but these all seem to require root 
> privileges. When I run them as root, they work, but when I run them as 
> non-root user, I get:
>
>  user1a at test-s4ad:~$ smbpasswd -U dago
>  Old SMB password:
>  New SMB password:
>  Retype new SMB password:
>  SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was 
> 127.0.0.1, but LANMAN password changes are disabled
>
> or
>
>  user1a at test-s4ad:~$ samba-tool user password -U dago
>  Password for [S4\dago]:
>  New Password:
>  Retype Password:
>  ERROR: Failed to change password : samr_ChangePasswordUser3 for 
> 'S4\dago' failed: NT_STATUS_ACCESS_DENIED
>
> So, is there a possibility to change the password of one user with a 
> commandline tool run by another user (provided he has the old 
> password, of course)?
>
> Thanks a lot,
>
> Roel
>
>
> PS: In case it matters, my (stripped down) smb.conf is:
>
>  [global]
>    workgroup = S4
>    realm = s4.local
>    netbios name = TEST-S4AD
>    server string = test-s4ad
>    server role = active directory domain controller
>    server role check:inhibit = yes
>    server services = s3fs rpc wrepl ldap cldap kdc drepl winbind 
> ntp_signd kcc dnsupdate dns
>    security = auto
>    idmap_ldb:use rfc2307 = yes
>    interfaces = 192.168.3.3/24 127.255.255.255/8
>    bind interfaces only = Yes
>    hosts allow = 192.168.3.0/255.255.255.0 127.0.0.1 LOCAL/unixdom
>
>    dns forwarder = 127.0.0.2
>
> I've already tried adding:
>
>    lanman auth = Yes
>    client lanman auth = Yes
>
> but that didn't change anything.

The problem here is you seem to be asking for two different things, 
change a users password & reset a users password. You might think they 
are the same thing, but in AD land they are different. To reset a users 
password, you need the users old password and the new one, but to change 
a users password you just need the users new password. I have a script 
that will change a users password, but it will not reset it.

Rowland

More information about the samba mailing list