[Samba] Allow self password change using LDAP(s) with Samba4
Ole Traupe
ole.traupe at tu-berlin.de
Wed Jan 20 10:47:05 UTC 2016
On 12.01.2016 10:56, Juan Asensio Sánchez wrote:
> Hi
>
> Thanks all for your responses. The users can now change their own password
> adding and removing the unicodePwd attribute, using the correct method to
> generate the password value.
>
> Now, I have a problem, because the users who have the option to force to
> change the password in the next login checked, can't bind to the LDAP
> server in order to change their password. Is there any way to do this,
> using LDAP(s)?
This is not working as it should on a Windows domain client?
Also I believe that on Unix you can just use "passwd" which
automatically resorts to kerberos password. No?
Ole
>
> 2016-01-07 10:12 GMT+01:00 Roel van Meer <roel at 1afa.com>:
>
>> Hi Juan,
>>
>> you can use the 'kpasswd' utility:
>>
>> kpasswd user at YOUR.REALM
>>
>> It can be run as unprivileged user.
>> It first prompts you for your old password and the twice for the new
>> password.
>>
>> Cheers,
>>
>> Roel
>>
>>
>>
>> Juan Asensio Sánchez writes:
>>
>> Hi all
>>> I am trying to create a webapp to allow users to change their own
>>> passwords
>>> in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify
>>> the user password using this code:
>>>
>>> dn: ........
>>> changetype: modify
>>> replace: unicodePwd
>>> unicodePwd: "Temporal2"
>>>
>>> I get this error:
>>>
>>> 0x32 (Insufficient access; error in module acl: insufficient access rights
>>> during LDB_MODIFY (50))
>>>
>>> If I change the code, deleting the old password, and adding the new one:
>>>
>>> dn: ........
>>> changetype: modify
>>> delete: unicodePwd
>>> unicodePwd: "Temporal1"
>>> -
>>> add: unicodePwd
>>> unicodePwd: "Temporal2"
>>>
>>> Then I get this error:
>>>
>>> #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set
>>> the NT hash password directly']
>>>
>>> The ldapmodify are executed using the self user credentials, i wouldn't
>>> like to use the administrator account. Is this possible? Do I have to
>>> change some settings in Samba4?
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
More information about the samba
mailing list