[Samba] Allow self password change using LDAP(s) with Samba4

Roel van Meer roel at 1afa.com
Thu Jan 7 09:12:03 UTC 2016

Hi Juan,

you can use the 'kpasswd' utility:

  kpasswd user at YOUR.REALM

It can be run as unprivileged user.
It first prompts you for your old password and the twice for the new  



Juan Asensio Sánchez writes:

> Hi all
> I am trying to create a webapp to allow users to change their own passwords
> in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify
> the user password using this code:
> dn: ........
> changetype: modify
> replace: unicodePwd
> unicodePwd: "Temporal2"
> I get this error:
> 0x32 (Insufficient access; error in module acl: insufficient access rights
> during LDB_MODIFY (50))
> If I change the code, deleting the old password, and adding the new one:
> dn: ........
> changetype: modify
> delete: unicodePwd
> unicodePwd: "Temporal1"
> -
> add: unicodePwd
> unicodePwd: "Temporal2"
> Then I get this error:
> #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set
> the NT hash password directly']
> The ldapmodify are executed using the self user credentials, i wouldn't
> like to use the administrator account. Is this possible? Do I have to
> change some settings in Samba4?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list