[Samba] Change user Password with smbpasswd

Stefan Kania stefan at kania-online.de
Tue Jan 19 20:43:13 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 19.01.16 um 19:38 schrieb Rowland penny:
> On 19/01/16 17:24, Stefan Kania wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> "samba-tool user setpassword" works fine, but I don't want all 
>> "normal" Users to connect to the Domaincontroller to change
>> their password.
> 
> Hang on, you don't want your users to connect to the place where
> their passwords are stored ????
No, why should they, the Windows-users don't have to connect to the
Domaincontroller to change their password, they can do it on their
machine. So it should be the same on a Linux-client. The user
authenticate on his client and should change his password on it. The
user should not do an ssh-connection to the DC to change his password.

On a DC I have no shares no printers so no user must access the DC.


> 
>> So I tried it with smbpasswd as it was mentioned in many places.
>> I know that smbpasswd is normaly for NT-Domains but somehow also
>> an AD-User must be able to change his password. passwd is also 
>> not working as I read in the other thread in this list. I normaly
>> provide a web-base solution for changing Password, but there 
>> should be a way to change the password on the commandline. Here
>> you see an output with debuglevel set to 4: -
>> ------------------------ EXAMPLE\stefan at sambabuch-c1:~$ smbpasswd
>> -D 4 -r $(nslookup _ldap._tcp.dc._msdcs.example.net | awk '{print
>> $2;exit;}') lp_load_ex: refreshing parameters Initialising global
>> parameters rlimit_max: increasing rlimit_max (1024) to minimum
>> Windows limit (16384 ) params.c:pm_process() - Processing
>> configuration file "/etc/samba/smb.conf" Processing section
>> "[global]" doing parameter workgroup = example doing parameter
>> realm = EXAMPLE.NET doing parameter security = ADS doing
>> parameter winbind refresh tickets = Yes doing parameter template
>> shell = /bin/bash doing parameter idmap config * : range = 10000
>> - 19999 doing parameter idmap config EXAMPLE : backend = rid 
>> doing parameter idmap config EXAMPLE : range = 1000000 - 1999999 
>> doing parameter interfaces = 192.168.56.41 doing parameter bind
>> interfaces only = yes doing parameter winbind offline logon =
>> yes doing parameter kerberos method = secrets and keytab 
>> pm_process() returned Yes added interface enp0s8 ip=192.168.56.41
>> bcast=192.168.56.255 netmask=255.255.255.0 Old SMB password: New
>> SMB password: Retype new SMB password: Connecting to
>> 192.168.56.11 at port 445 Doing spnego session setup (blob
>> length=96) got OID=1.2.840.48018.1.2.2 got
>> OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got
>> principal=not_defined_in_RFC4178 at please_ignore Got challenge
>> flags: Got NTLMSSP neg_flags=0x60898215 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM 
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 
>> NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_128 
>> NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP
>> neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE 
>> NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 
>> NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with
>> flags: Got NTLMSSP neg_flags=0x60088215 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM 
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 
>> NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH GENSEC backend
>> 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5'
>> registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC
>> backend 'schannel' registered GENSEC backend 'spnego' registered 
>> GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5'
>> registered GENSEC backend 'fake_gssapi_krb5' registered Got
>> challenge flags: Got NTLMSSP neg_flags=0x60898235 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL 
>> NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_TARGET_INFO 
>> NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set
>> final flags: Got NTLMSSP neg_flags=0x60088235 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL 
>> NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 
>> NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with
>> flags: Got NTLMSSP neg_flags=0x60088235 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL 
>> NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 
>> NTLMSSP_NEGOTIATE_KEY_EXCH machine 192.168.56.11 rejected the
>> password change: Error was : Wrong Password. -
>> ------------------------ As far as I can see there is no Problem
>> connecting the DC.
> 
> Yet here you are happy for them to connect to a DC with smbpasswd
> ???
> 
no, as long as the password-change fails.

Stefan

> I think you actually want 'samba-tool user password'
> 
> Rowland
> 



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iEYEARECAAYFAlaen+EACgkQ2JOGcNAHDTbiVACgpsy365FhOpION2HhINdSNHwR
N+gAmgKMQ7eSY9WMqwB8KjJsJS8bb9Fk
=WVvh
-----END PGP SIGNATURE-----



More information about the samba mailing list