Change Users Password From Command Line

Sassy Natan sassyn at gmail.com
Fri Mar 20 15:57:08 GMT 2009


Here is a cut and paste from the log file:

Selected protocol [5][NT LM 0.12]
Received krb5 UDP packet of length 297 from 10.0.0.5:2213
Received KDC packet of length 293 from 10.0.0.5:2213
Kerberos: AS-REQ sassyn at home from 10.0.0.5 for krbtgt/home at home
gendb_search_v: DC=home,DC=local NULL -> 1
gendb_search_v: CN=Partitions,CN=Configuration,DC=home,DC=local
(ncName=DC=home,DC=local) -> 1
gendb_search_v: CN=Sassy Natan,OU=Users,OU=home,DC=home,DC=local NULL -> 1
gendb_search_v: DC=home,DC=local NULL -> 1
authsam_account_ok: Checking SMB password for user sassyn at home.LOCAL
gendb_search_v: DC=home,DC=local NULL -> 1
gendb_search_v: DC=home,DC=local NULL -> 1
logon_hours_ok: No hours restrictions for user sassyn at home.LOCAL
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- sassyn at home
Kerberos: Looking for ENC-TS pa-data -- sassyn at home
Kerberos: Failed to decrypt PA-DATA -- sassyn at home (enctype
arcfour-hmac-md5) error Decrypt integrity check failed
Kerberos: Failed to decrypt PA-DATA -- sassyn at home
Received krb5 UDP packet of length 300 from 10.0.0.5:2214
Received KDC packet of length 296 from 10.0.0.5:2214
Kerberos: AS-REQ sassyn at home from 10.0.0.5 for krbtgt/home at home
gendb_search_v: DC=home,DC=local NULL -> 1
gendb_search_v: CN=Partitions,CN=Configuration,DC=home,DC=local
(ncName=DC=home,DC=local) -> 1
gendb_search_v: CN=Sassy Natan,OU=Users,OU=home,DC=home,DC=local NULL -> 1
gendb_search_v: DC=home,DC=local NULL -> 1
authsam_account_ok: Checking SMB password for user sassyn at home.LOCAL
gendb_search_v: DC=home,DC=local NULL -> 1
gendb_search_v: DC=home,DC=local NULL -> 1
logon_hours_ok: No hours restrictions for user sassyn at home.LOCAL
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- sassyn at home
Kerberos: Looking for ENC-TS pa-data -- sassyn at home
*Kerberos: Failed to decrypt PA-DATA -- **sassyn at home*
<sassyn at home>*(enctype arcfour-hmac-md5) error Decrypt integrity check
failed
Kerberos: Failed to decrypt PA-DATA -- **sassyn at home* <sassyn at home>
*smbsrv_recv
Terminating connection - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
single_terminate: reason[NT_STATUS_END_OF_FILE]
*
**
*Sassy
*







On Fri, Mar 20, 2009 at 2:53 PM, Sassy Natan <sassyn at gmail.com> wrote:

>  Thank you and all the Samba Group to provide this pkg! :-)
>
> I Just love it, and I'm always amazed by the knowledge you have!
>
> Thanks for the help, I really mean it!
>
> However, I still fighting with the issue I have.
> I will try to rephrase my question:
>
> When changing user password using the NET utility - I get no error and
> password do seems to be changed. However when trying to connect to the
> server share (\\server\netlogon) from my Windows XP machine (NOT PART OF
> THE DOMAIN - IT IS IN A  WORKGROUP MODE) I'm asking to provide user name and
> password. So while providing the user name and password I have just changed,
> the user and password window just repeating itself over and over again.
> In the samba4 log file (running in debug mode) I see this error : Failed to
> decrypt PA-DATA -- (enctype arcfour-hmac-md5) error Decrypt integrity check
> failed.
>
> While this user and password window is still open in my XP machine  - I
> change the user password using the kpasswd to the same password as in the
> NET utility and now user can access.
>
> If the passwd db is the same for the all system (LDAP,LDB etc..) then I'm
> not sure the NET utility really doing something.
> It is worth mention that the same debug messages appears when using the net
> utility and the ADUC tool (which working great).
>
> I also want to add that I'm quite sure that I used the same password in
> both cases!
>
> Where am I'm going wrong? can u point me out for more test?
>
> Where the password DB is located?
>
> 10x again
>
> Have a nice weekend
>
> Sassy
>
>
>
> On Fri, Mar 20, 2009 at 10:19 AM, Andrew Bartlett <abartlet at samba.org>wrote:
>
>> On Thu, 2009-03-19 at 21:55 +0200, Sassy Natan wrote:
>> > Dear Group
>> >
>> > I have being fighting with this for the whole day and I was wondering If
>> > someone can provide some help.
>> >
>> > I have manage to change user password from the command line using the
>> net
>> > command like this:
>> >
>> > "net password set --realm=Home.Local --user=administrator%pasword
>> username"
>> >
>> > This however doesn't seem to effect the user password since when running
>> > samba (alpha5) in debug mode I'm getting this error:
>> >
>> > Kerberos: Failed to decrypt PA-DATA -- (enctype arcfour-hmac-md5) error
>> > Decrypt integrity check failed
>>
>> I'm not quite sure what's going on here - it looks simply like you
>> changed the password to something different to what you are then trying
>> to authenticate as.
>>
>> > So I moved to the kerberos admin utlilty (heimdal-clients package in
>> debian)
>> > and changed the user password using the /usr/bin/kpasswd command
>> >
>> > Then I got an error that the Kerberos KEY was expired - see also
>> >
>> http://www.nabble.com/samba4-Kerberos-server-and-linux-computers-td21412540.html
>> >
>> > So I changed pwdLastSet  to current date an then WALLA password was
>> changed
>> > and I manage to loging with the username to my share
>> > (\\DC\Netlogon<file://DC/Netlogon>
>> > ).
>>
>> You must be running an old install, and like Matthieu have been very
>> helpful in finding bugs that only show up after a period of time.
>>
>> This failure is one of the issues I hope to work on soon (I've been
>> distracted on other tasks for the moment).
>>
>> > the command was:
>> > kpasswd --admin-principal=Administrator at HOME.LOCAL username at HOME.LOCAL
>> >
>> >
>> > I have 2 questions in mind:
>> >
>> > 1. What is the purpose of the --kerberos in the net command utility.
>> Does it
>> > change also the password in the kerberos DB? if so what is the correct
>> > syntax. No matter what I enter i'm getting an error.
>>
>> The --kerberos option selects if the authentication method (to prove to
>> the server that you are an administrator, and therefore permitted to
>> reset the password) is to use Kerberos or not.  There is only one
>> password database in Samba, and all calls to set the password change the
>> same database.
>>
>> > 2. Why the kadmin utlity is not working? is there any way to chnage user
>> > password both in samba4,ldap,kerberos same as in the ADUC -Active
>> Directory
>> > Users and Computers?
>>
>> We do not implement the Heimdal kadmin protocol, only the interfaces
>> provided by AD.   Changing the password with any tool changes the
>> password for all protocols (we only store it once, in LDB).
>>
>> I hope this helps, and thankyou for trying Samba4!
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org
>> Samba Developer, Red Hat Inc.
>>
>
>


More information about the samba-technical mailing list