[Samba] Change user Password with smbpasswd

Rowland penny rpenny at samba.org
Tue Jan 19 18:38:37 UTC 2016 

On 19/01/16 17:24, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "samba-tool user setpassword" works fine, but I don't want all
> "normal" Users to connect to the Domaincontroller to change their
> password.

Hang on, you don't want your users to connect to the place where their 
passwords are stored ????

> So I tried it with smbpasswd as it was mentioned in many
> places. I know that smbpasswd is normaly for NT-Domains but somehow
> also an AD-User must be able to change his password. passwd is also
> not working as I read in the other thread in this list.
> I normaly provide a web-base solution for changing Password, but there
> should be a way to change the password on the commandline.
> Here you see an output with debuglevel set to 4:
> - ------------------------
> EXAMPLE\stefan at sambabuch-c1:~$ smbpasswd -D 4 -r $(nslookup
> _ldap._tcp.dc._msdcs.example.net | awk '{print $2;exit;}')
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384
> )
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> doing parameter workgroup = example
> doing parameter realm = EXAMPLE.NET
> doing parameter security = ADS
> doing parameter winbind refresh tickets = Yes
> doing parameter template shell = /bin/bash
> doing parameter idmap config * : range = 10000 - 19999
> doing parameter idmap config EXAMPLE : backend = rid
> doing parameter idmap config EXAMPLE : range = 1000000 - 1999999
> doing parameter interfaces = 192.168.56.41
> doing parameter bind interfaces only = yes
> doing parameter winbind offline logon = yes
> doing parameter kerberos method = secrets and keytab
> pm_process() returned Yes
> added interface enp0s8 ip=192.168.56.41 bcast=192.168.56.255
> netmask=255.255.255.0
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Connecting to 192.168.56.11 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_TARGET_INFO
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_TARGET_INFO
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> machine 192.168.56.11 rejected the password change: Error was : Wrong
> Password.
> - ------------------------
> As far as I can see there is no Problem connecting the DC.

Yet here you are happy for them to connect to a DC with smbpasswd ???

I think you actually want 'samba-tool user password'

Rowland

More information about the samba mailing list