[Samba] Samba AD changing a user's password as non-root user

Roel van Meer roel at 1afa.com
Tue Apr 14 09:30:25 MDT 2015


I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a way to  
change the password of a user from the command line, as a non-root user.

I know I can use 'smbpasswd', 'samba-tool user setpassword', or 'samba-tool  
user password', but these all seem to require root privileges. When I run  
them as root, they work, but when I run them as non-root user, I get:

  user1a at test-s4ad:~$ smbpasswd -U dago
  Old SMB password:
  New SMB password:
  Retype new SMB password:
  SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was, but LANMAN password changes are disabled


  user1a at test-s4ad:~$ samba-tool user password -U dago
  Password for [S4\dago]:
  New Password:
  Retype Password:
  ERROR: Failed to change password : samr_ChangePasswordUser3 for 'S4\dago' failed: NT_STATUS_ACCESS_DENIED

So, is there a possibility to change the password of one user with a  
commandline tool run by another user (provided he has the old password, of  

Thanks a lot,


PS: In case it matters, my (stripped down) smb.conf is:

    workgroup = S4
    realm = s4.local
    netbios name = TEST-S4AD
    server string = test-s4ad
    server role = active directory domain controller
    server role check:inhibit = yes
    server services = s3fs rpc wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns
    security = auto
    idmap_ldb:use rfc2307 = yes
    interfaces =
    bind interfaces only = Yes
    hosts allow = LOCAL/unixdom

    dns forwarder =

I've already tried adding:

    lanman auth = Yes
    client lanman auth = Yes

but that didn't change anything.

More information about the samba mailing list