Setting password on NT PDC using Samba w/admin rights

Luke Kenneth Casson Leighton lkcl at
Tue Dec 14 18:27:10 GMT 1999

rpcclient has two methods to do this.  hmmm... one of them has a bug!!!!
:-)  i put in some new error checking and it's working very well :-) :-)

On Tue, 14 Dec 1999, Ryan Russell wrote:

> Howdy.  I hope I'm not asking a stupid question that everyone but me
> know the answer to.  I've done a bit of web searching, archive searching,
> and poking around the source, so I hope I've done my due diligence.
> Here's what I'm basically trying to accomplish:
> I want to reset the passwords of NT users in one of our domains from
> a *nix box.  Obviously, I've looked at smbpasswd.  That works well
> if the old password is known.  I'm looking at the situation where an
> admin doesn't know the old password, but they themselves have the
> right to change passwords for everyone.  Just to be explicit, the PDC
> is a Windows NT machine, and there is no local smbpasswd file
> on the unix machine that I'm concerned about.
> Poking around in the source, I see remote_password_change
> ultimately calls:
>         if(!cli_oem_change_password(&cli, user_name, new_passwd, old_passwd)) {
>                 slprintf(err_str, err_str_len-1, "machine %s rejected the
> password change: Error was : %s.\n", remote_machine, cli_errstr(&cli) );
>                 cli_shutdown(&cli);
>                 return False;
> after some cli setup.  The cli setup prototype looks promising:
> BOOL cli_session_setup(struct cli_state *cli,
>                        char *user,
>                        char *pass, int passlen,
>                        char *ntpass, int ntpasslen,
>                        char *workgroup);
> However, digging deeper shows that the cli_oem_change_password function
> maps to the SamOEMChangePassword call, which is documented in
> Paul Leach's CIFS draft.  That call explictly calls for both an old and new
> password,
> so I assume that I can't use that call, no matter how priveleged an account I
> give in
> the cli_session_setup call.
> I also notice rpcclient, which looks promising.  However, the parts I need
> don't seem to be implemented on *nix yet.  A nice bonus for my project would be
> to be able to pull a user list from a *nix Samba client.  By way of vote, I'd
> like
> to see rpcclient renamed net, eventvwr, etc..  As someone familiar with both NT
> and unix in general, I completely missed the purpose of rpcclient for a few
> days,
> I think mostly because of the name.  Symlinks and checking argv[0] would be just
>  fine..
> just something that would make my brain click when I saw the names in the
> directory.
> So, does there exist  way to do what I want?  Is the appropriate call buried
> elsewhere
> in Samba?  Does rpcclient need to get farther along first?  If what I want
> doesn't
> exist quite yet, is there any chance that a newbie to the Samba project would be
> able to contribute in these areas?  (Not asking whether code contributions would
>  be
> accepted... asking if there's any chance I'd be able to figure out what needs to
>  be written.)
> Thanks for any help you can provide.
>                               Ryan

More information about the samba-technical mailing list