[Samba] Samba AD changing a user's password as non-root user

Andrey Repin anrdaemon at yandex.ru
Tue Apr 14 17:06:20 MDT 2015 

Greetings, Roel van Meer!

> I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a way to
> change the password of a user from the command line, as a non-root user.

> I know I can use 'smbpasswd', 'samba-tool user setpassword', or 'samba-tool  
> user password', but these all seem to require root privileges. When I run  
> them as root, they work, but when I run them as non-root user, I get:

>   user1a at test-s4ad:~$ smbpasswd -U dago
>   Old SMB password:
>   New SMB password:
>   Retype new SMB password:
>   SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was
> 127.0.0.1, but LANMAN password changes are disabled

> or

>   user1a at test-s4ad:~$ samba-tool user password -U dago
>   Password for [S4\dago]:
>   New Password:
>   Retype Password:
>   ERROR: Failed to change password : samr_ChangePasswordUser3 for 'S4\dago' failed: NT_STATUS_ACCESS_DENIED

> So, is there a possibility to change the password of one user with a  
> commandline tool run by another user (provided he has the old password, of  
> course)?

> Thanks a lot,

> Roel


> PS: In case it matters, my (stripped down) smb.conf is:

>   [global]
>     workgroup = S4
>     realm = s4.local
>     netbios name = TEST-S4AD
>     server string = test-s4ad
>     server role = active directory domain controller

Are you actually trying to do it on a domain controller?
Then this just won't work.

>     server role check:inhibit = yes
>     server services = s3fs rpc wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns
>     security = auto
>     idmap_ldb:use rfc2307 = yes
>     interfaces = 192.168.3.3/24 127.255.255.255/8
>     bind interfaces only = Yes
>     hosts allow = 192.168.3.0/255.255.255.0 127.0.0.1 LOCAL/unixdom

>     dns forwarder = 127.0.0.2

> I've already tried adding:

>     lanman auth = Yes
>     client lanman auth = Yes

> but that didn't change anything.


-- 
With best regards,
Andrey Repin
Wednesday, April 15, 2015 02:05:36

Sorry for my terrible english...

More information about the samba mailing list