[Samba] Change user Password with smbpasswd

Stefan Kania stefan at kania-online.de
Tue Jan 19 17:24:00 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"samba-tool user setpassword" works fine, but I don't want all
"normal" Users to connect to the Domaincontroller to change their
password. So I tried it with smbpasswd as it was mentioned in many
places. I know that smbpasswd is normaly for NT-Domains but somehow
also an AD-User must be able to change his password. passwd is also
not working as I read in the other thread in this list.
I normaly provide a web-base solution for changing Password, but there
should be a way to change the password on the commandline.
Here you see an output with debuglevel set to 4:
- ------------------------
EXAMPLE\stefan at sambabuch-c1:~$ smbpasswd -D 4 -r $(nslookup
_ldap._tcp.dc._msdcs.example.net | awk '{print $2;exit;}')
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384
)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = example
doing parameter realm = EXAMPLE.NET
doing parameter security = ADS
doing parameter winbind refresh tickets = Yes
doing parameter template shell = /bin/bash
doing parameter idmap config * : range = 10000 - 19999
doing parameter idmap config EXAMPLE : backend = rid
doing parameter idmap config EXAMPLE : range = 1000000 - 1999999
doing parameter interfaces = 192.168.56.41
doing parameter bind interfaces only = yes
doing parameter winbind offline logon = yes
doing parameter kerberos method = secrets and keytab
pm_process() returned Yes
added interface enp0s8 ip=192.168.56.41 bcast=192.168.56.255
netmask=255.255.255.0
Old SMB password:
New SMB password:
Retype new SMB password:
Connecting to 192.168.56.11 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
machine 192.168.56.11 rejected the password change: Error was : Wrong
Password.
- ------------------------
As far as I can see there is no Problem connecting the DC.

Stefan

Am 19.01.2016 um 18:03 schrieb Rowland penny:
> On 19/01/16 16:30, Stefan Kania wrote: Hello, I try to change a
> userpassword with smbpasswd. But I allway get an errormessage: 
> ----------- root at sambabuch-c1:~# smbpasswd -U EXAMPLE\\stefan -r
> `nslookup _ldap._tcp.dc._msdcs.example.net | awk '{print
> $2;exit;}'` Old SMB password: New SMB password: Retype new SMB
> password: machine 192.168.56.11 rejected the password change: Error
> was : Wrong Password. ----------- The Client is a valid Member of
> the Domain: ----------- root at sambabuch-c1:~# net ads testjoin Join
> is OK ----------- Everything else works inside the domain, only a
> user can't change his password. What's wrong?
> 
> 
> Stefan
> 
> 
>> 
> 
> It looks to me like you are trying to use an NT tool to change an
> AD password, have you tried 'samba-tool user setpasswd' instead.
> 
> It may help if you supply a bit more info, OS, Samba version,
> smb.conf etc
> 
> Rowland
> 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlaecTAACgkQ2JOGcNAHDTa9FACaA49EVZHwnmLKTYSiDoAM4oIX
CBUAnAnY1BBfjq2u86eDiP5vN4qCCsw/
=Skan
-----END PGP SIGNATURE-----

More information about the samba mailing list