[Samba] Samba AD changing a user's password as non-root user

[Roel van Meer]

Hi!

I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a way to  
change the password of a user from the command line, as a non-root user.

I know I can use 'smbpasswd', 'samba-tool user setpassword', or 'samba-tool  
user password', but these all seem to require root privileges. When I run  
them as root, they work, but when I run them as non-root user, I get:

  user1a at test-s4ad:~$ smbpasswd -U dago
  Old SMB password:
  New SMB password:
  Retype new SMB password:
  SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was 127.0.0.1, but LANMAN password changes are disabled

or

  user1a at test-s4ad:~$ samba-tool user password -U dago
  Password for [S4\dago]:
  New Password:
  Retype Password:
  ERROR: Failed to change password : samr_ChangePasswordUser3 for 'S4\dago' failed: NT_STATUS_ACCESS_DENIED

So, is there a possibility to change the password of one user with a  
commandline tool run by another user (provided he has the old password, of  
course)?

Thanks a lot,

Roel


PS: In case it matters, my (stripped down) smb.conf is:

  [global]
    workgroup = S4
    realm = s4.local
    netbios name = TEST-S4AD
    server string = test-s4ad
    server role = active directory domain controller
    server role check:inhibit = yes
    server services = s3fs rpc wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns
    security = auto
    idmap_ldb:use rfc2307 = yes
    interfaces = 192.168.3.3/24 127.255.255.255/8
    bind interfaces only = Yes
    hosts allow = 192.168.3.0/255.255.255.0 127.0.0.1 LOCAL/unixdom

    dns forwarder = 127.0.0.2

I've already tried adding:

    lanman auth = Yes
    client lanman auth = Yes

but that didn't change anything.