Change Users Password From Command Line

Sassy Natan sassyn at gmail.com
Fri Mar 20 12:53:53 GMT 2009 

Thank you and all the Samba Group to provide this pkg! :-)

I Just love it, and I'm always amazed by the knowledge you have!

Thanks for the help, I really mean it!

However, I still fighting with the issue I have.
I will try to rephrase my question:

When changing user password using the NET utility - I get no error and
password do seems to be changed. However when trying to connect to the
server share (\\server\netlogon) from my Windows XP machine (NOT PART OF THE
DOMAIN - IT IS IN A  WORKGROUP MODE) I'm asking to provide user name and
password. So while providing the user name and password I have just changed,
the user and password window just repeating itself over and over again.
In the samba4 log file (running in debug mode) I see this error : Failed to
decrypt PA-DATA -- (enctype arcfour-hmac-md5) error Decrypt integrity check
failed.

While this user and password window is still open in my XP machine  - I
change the user password using the kpasswd to the same password as in the
NET utility and now user can access.

If the passwd db is the same for the all system (LDAP,LDB etc..) then I'm
not sure the NET utility really doing something.
It is worth mention that the same debug messages appears when using the net
utility and the ADUC tool (which working great).

I also want to add that I'm quite sure that I used the same password in both
cases!

Where am I'm going wrong? can u point me out for more test?

Where the password DB is located?

10x again

Have a nice weekend

Sassy



On Fri, Mar 20, 2009 at 10:19 AM, Andrew Bartlett <abartlet at samba.org>wrote:

> On Thu, 2009-03-19 at 21:55 +0200, Sassy Natan wrote:
> > Dear Group
> >
> > I have being fighting with this for the whole day and I was wondering If
> > someone can provide some help.
> >
> > I have manage to change user password from the command line using the net
> > command like this:
> >
> > "net password set --realm=Home.Local --user=administrator%pasword
> username"
> >
> > This however doesn't seem to effect the user password since when running
> > samba (alpha5) in debug mode I'm getting this error:
> >
> > Kerberos: Failed to decrypt PA-DATA -- (enctype arcfour-hmac-md5) error
> > Decrypt integrity check failed
>
> I'm not quite sure what's going on here - it looks simply like you
> changed the password to something different to what you are then trying
> to authenticate as.
>
> > So I moved to the kerberos admin utlilty (heimdal-clients package in
> debian)
> > and changed the user password using the /usr/bin/kpasswd command
> >
> > Then I got an error that the Kerberos KEY was expired - see also
> >
> http://www.nabble.com/samba4-Kerberos-server-and-linux-computers-td21412540.html
> >
> > So I changed pwdLastSet  to current date an then WALLA password was
> changed
> > and I manage to loging with the username to my share
> > (\\DC\Netlogon<file://DC/Netlogon>
> > ).
>
> You must be running an old install, and like Matthieu have been very
> helpful in finding bugs that only show up after a period of time.
>
> This failure is one of the issues I hope to work on soon (I've been
> distracted on other tasks for the moment).
>
> > the command was:
> > kpasswd --admin-principal=Administrator at HOME.LOCAL username at HOME.LOCAL
> >
> >
> > I have 2 questions in mind:
> >
> > 1. What is the purpose of the --kerberos in the net command utility. Does
> it
> > change also the password in the kerberos DB? if so what is the correct
> > syntax. No matter what I enter i'm getting an error.
>
> The --kerberos option selects if the authentication method (to prove to
> the server that you are an administrator, and therefore permitted to
> reset the password) is to use Kerberos or not.  There is only one
> password database in Samba, and all calls to set the password change the
> same database.
>
> > 2. Why the kadmin utlity is not working? is there any way to chnage user
> > password both in samba4,ldap,kerberos same as in the ADUC -Active
> Directory
> > Users and Computers?
>
> We do not implement the Heimdal kadmin protocol, only the interfaces
> provided by AD.   Changing the password with any tool changes the
> password for all protocols (we only store it once, in LDB).
>
> I hope this helps, and thankyou for trying Samba4!
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Red Hat Inc.
>

More information about the samba-technical mailing list