[Samba] Samba AD changing a user's password as non-root user

Denis Cardon denis.cardon at tranquil-it-systems.fr
Wed Apr 15 10:27:15 MDT 2015 

Hi Roel,

> I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a
> way to change the password of a user from the command line, as a
> non-root user.
>
> I know I can use 'smbpasswd', 'samba-tool user setpassword', or
> 'samba-tool user password', but these all seem to require root
> privileges. When I run them as root, they work, but when I run them as
> non-root user, I get:
>
>   user1a at test-s4ad:~$ smbpasswd -U dago
>   Old SMB password:
>   New SMB password:
>   Retype new SMB password:
>   SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was
> 127.0.0.1, but LANMAN password changes are disabled
>
> or
>
>   user1a at test-s4ad:~$ samba-tool user password -U dago
>   Password for [S4\dago]:
>   New Password:
>   Retype Password:
>   ERROR: Failed to change password : samr_ChangePasswordUser3 for
> 'S4\dago' failed: NT_STATUS_ACCESS_DENIED
>
> So, is there a possibility to change the password of one user with a
> commandline tool run by another user (provided he has the old password,
> of course)?

you can use the kpasswd command, it should do what you want.

Cheers,

Denis


>
> Thanks a lot,
>
> Roel
>
>
> PS: In case it matters, my (stripped down) smb.conf is:
>
>   [global]
>     workgroup = S4
>     realm = s4.local
>     netbios name = TEST-S4AD
>     server string = test-s4ad
>     server role = active directory domain controller
>     server role check:inhibit = yes
>     server services = s3fs rpc wrepl ldap cldap kdc drepl winbind
> ntp_signd kcc dnsupdate dns
>     security = auto
>     idmap_ldb:use rfc2307 = yes
>     interfaces = 192.168.3.3/24 127.255.255.255/8
>     bind interfaces only = Yes
>     hosts allow = 192.168.3.0/255.255.255.0 127.0.0.1 LOCAL/unixdom
>
>     dns forwarder = 127.0.0.2
>
> I've already tried adding:
>
>     lanman auth = Yes
>     client lanman auth = Yes
>
> but that didn't change anything.

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list