Change Users Password From Command Line

Fri Mar 20 16:04:08 GMT 2009

Well even it's not solving problems and need on a long run I can provide 
few vbs script that allow to create user from command lines.

Matthieu.

On 03/20/2009 03:53 PM, Sassy Natan wrote:
> Thank you and all the Samba Group to provide this pkg! :-)
>
> I Just love it, and I'm always amazed by the knowledge you have!
>
> Thanks for the help, I really mean it!
>
> However, I still fighting with the issue I have.
> I will try to rephrase my question:
>
> When changing user password using the NET utility - I get no error and
> password do seems to be changed. However when trying to connect to the
> server share (\\server\netlogon) from my Windows XP machine (NOT PART OF THE
> DOMAIN - IT IS IN A  WORKGROUP MODE) I'm asking to provide user name and
> password. So while providing the user name and password I have just changed,
> the user and password window just repeating itself over and over again.
> In the samba4 log file (running in debug mode) I see this error : Failed to
> decrypt PA-DATA -- (enctype arcfour-hmac-md5) error Decrypt integrity check
> failed.
>
> While this user and password window is still open in my XP machine  - I
> change the user password using the kpasswd to the same password as in the
> NET utility and now user can access.
>
> If the passwd db is the same for the all system (LDAP,LDB etc..) then I'm
> not sure the NET utility really doing something.
> It is worth mention that the same debug messages appears when using the net
> utility and the ADUC tool (which working great).
>
> I also want to add that I'm quite sure that I used the same password in both
> cases!
>
> Where am I'm going wrong? can u point me out for more test?
>
> Where the password DB is located?
>
> 10x again
>
> Have a nice weekend
>
> Sassy
>
>
>
> On Fri, Mar 20, 2009 at 10:19 AM, Andrew Bartlett<abartlet at samba.org>wrote:
>
>    
>> On Thu, 2009-03-19 at 21:55 +0200, Sassy Natan wrote:
>>      
>>> Dear Group
>>>
>>> I have being fighting with this for the whole day and I was wondering If
>>> someone can provide some help.
>>>
>>> I have manage to change user password from the command line using the net
>>> command like this:
>>>
>>> "net password set --realm=Home.Local --user=administrator%pasword
>>>        
>> username"
>>      
>>> This however doesn't seem to effect the user password since when running
>>> samba (alpha5) in debug mode I'm getting this error:
>>>
>>> Kerberos: Failed to decrypt PA-DATA -- (enctype arcfour-hmac-md5) error
>>> Decrypt integrity check failed
>>>        
>> I'm not quite sure what's going on here - it looks simply like you
>> changed the password to something different to what you are then trying
>> to authenticate as.
>>
>>      
>>> So I moved to the kerberos admin utlilty (heimdal-clients package in
>>>        
>> debian)
>>      
>>> and changed the user password using the /usr/bin/kpasswd command
>>>
>>> Then I got an error that the Kerberos KEY was expired - see also
>>>
>>>        
>> http://www.nabble.com/samba4-Kerberos-server-and-linux-computers-td21412540.html
>>      
>>> So I changed pwdLastSet  to current date an then WALLA password was
>>>        
>> changed
>>      
>>> and I manage to loging with the username to my share
>>> (\\DC\Netlogon<file://DC/Netlogon>
>>> ).
>>>        
>> You must be running an old install, and like Matthieu have been very
>> helpful in finding bugs that only show up after a period of time.
>>
>> This failure is one of the issues I hope to work on soon (I've been
>> distracted on other tasks for the moment).
>>
>>      
>>> the command was:
>>> kpasswd --admin-principal=Administrator at HOME.LOCAL username at HOME.LOCAL
>>>
>>>
>>> I have 2 questions in mind:
>>>
>>> 1. What is the purpose of the --kerberos in the net command utility. Does
>>>        
>> it
>>      
>>> change also the password in the kerberos DB? if so what is the correct
>>> syntax. No matter what I enter i'm getting an error.
>>>        
>> The --kerberos option selects if the authentication method (to prove to
>> the server that you are an administrator, and therefore permitted to
>> reset the password) is to use Kerberos or not.  There is only one
>> password database in Samba, and all calls to set the password change the
>> same database.
>>
>>      
>>> 2. Why the kadmin utlity is not working? is there any way to chnage user
>>> password both in samba4,ldap,kerberos same as in the ADUC -Active
>>>        
>> Directory
>>      
>>> Users and Computers?
>>>        
>> We do not implement the Heimdal kadmin protocol, only the interfaces
>> provided by AD.   Changing the password with any tool changes the
>> password for all protocols (we only store it once, in LDB).
>>
>> I hope this helps, and thankyou for trying Samba4!
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org
>> Samba Developer, Red Hat Inc.
>>
>>      