Change Users Password From Command Line
Andrew Bartlett
abartlet at samba.org
Fri Mar 20 08:19:04 GMT 2009
On Thu, 2009-03-19 at 21:55 +0200, Sassy Natan wrote:
> Dear Group
>
> I have being fighting with this for the whole day and I was wondering If
> someone can provide some help.
>
> I have manage to change user password from the command line using the net
> command like this:
>
> "net password set --realm=Home.Local --user=administrator%pasword username"
>
> This however doesn't seem to effect the user password since when running
> samba (alpha5) in debug mode I'm getting this error:
>
> Kerberos: Failed to decrypt PA-DATA -- (enctype arcfour-hmac-md5) error
> Decrypt integrity check failed
I'm not quite sure what's going on here - it looks simply like you
changed the password to something different to what you are then trying
to authenticate as.
> So I moved to the kerberos admin utlilty (heimdal-clients package in debian)
> and changed the user password using the /usr/bin/kpasswd command
>
> Then I got an error that the Kerberos KEY was expired - see also
> http://www.nabble.com/samba4-Kerberos-server-and-linux-computers-td21412540.html
>
> So I changed pwdLastSet to current date an then WALLA password was changed
> and I manage to loging with the username to my share
> (\\DC\Netlogon<file://DC/Netlogon>
> ).
You must be running an old install, and like Matthieu have been very
helpful in finding bugs that only show up after a period of time.
This failure is one of the issues I hope to work on soon (I've been
distracted on other tasks for the moment).
> the command was:
> kpasswd --admin-principal=Administrator at HOME.LOCAL username at HOME.LOCAL
>
>
> I have 2 questions in mind:
>
> 1. What is the purpose of the --kerberos in the net command utility. Does it
> change also the password in the kerberos DB? if so what is the correct
> syntax. No matter what I enter i'm getting an error.
The --kerberos option selects if the authentication method (to prove to
the server that you are an administrator, and therefore permitted to
reset the password) is to use Kerberos or not. There is only one
password database in Samba, and all calls to set the password change the
same database.
> 2. Why the kadmin utlity is not working? is there any way to chnage user
> password both in samba4,ldap,kerberos same as in the ADUC -Active Directory
> Users and Computers?
We do not implement the Heimdal kadmin protocol, only the interfaces
provided by AD. Changing the password with any tool changes the
password for all protocols (we only store it once, in LDB).
I hope this helps, and thankyou for trying Samba4!
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090320/f4170c27/attachment.bin
More information about the samba-technical
mailing list