Samba4: Changing a user's passwd via LDAP

Zahari Zahariev zahari.zahariev at gmail.com
Fri Aug 20 08:45:08 MDT 2010


Hi Lukasz,

For the last question you pose -- yes this is the exact desired
behavior. If you have no admin rights you shoud be providing the old
password.

On 8/20/10, Lukasz Zalewski <lukas at dcs.qmul.ac.uk> wrote:
> On 08/20/2010 12:57 PM, Michael Wood wrote:
>> Hi
>>
>> I need to provide a web-based interface for users to change their
>> passwords in Samba4.  Is LDAP the best option?
>>
>> Should the following work?
>>
>> http://support.microsoft.com/kb/269190
>>
>> I tried using ldapmodify with the following ldif:
>>
>> dn: CN=user,CN=Users,DC=my,DC=realm
>> changetype: modify
>> add: unicodePwd
>> unicodePwd: "NewPassword"
>> -
>> delete: unicodePwd
>> unicodePwd: "OldPassword"
>> -
>>
>> Whether I use simple authentication with "ldapmodify -x -D
>> CN=user,CN=Users,DC=my,DC=realm -W ..." or first run "kinit user" and
>> then use "ldapmodify -Y gssapi ..." I get the following error:
>>
>> modifying entry "CN=user,CN=Users,DC=my,DC=realm"
>> ldap_modify: Insufficient access (50)
>> 	additional info: 00002098: insufficient access rights - error in
>> module acl: insufficient access rights (50)
>>
>> but perhaps that's not equivalent to the code in the KB article?
>>
>> I would appreciate any suggestions for how to do this, preferably from
>> Python, or if LDAP is not the best way, then I would appreciate it if
>> you could let me know what the best way is.
>>
>> I also tried "net password change", but was having trouble getting that to
>> work.
>>
>> I'm currently running "Version 4.0.0alpha12-GIT-6d97360" but I might
>> upgrade/reprovision soon.
>>
>> Thanks in advance.
>>
>
> Hi Michael,
> You might want to have a look at
> http://msdn.microsoft.com/en-us/library/cc223248%28v=PROT.10%29.aspx
> I have managed to set the password using ldap interface as an admin user
> and as normal user. Attached is proof-of-concept python script that
> allows you to do the password change as an admin
> (--set_password_asadmin) or as a user (--set_password_asuser)
> the script assumes that you have got the appropriate krb ticket before
> its run
>
> However i have noticed a strange thing. using the included script with
> kinit user1 at mydomain
> i have managed to change the password for userb - again it requires to
> know the userb old password - is this intended behaviour?
>
> Regards
>
> Luk
>

-- 
Sent from my mobile device


More information about the samba-technical mailing list