[Samba] How to change Domain password as normal user?

Wed Apr 4 07:37:26 UTC 2018

On Tue, 03 Apr 2018 23:34:13 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org>
> wrote:
> >
> > On Sat, 31 Mar 2018 11:42:07 -0400
> > Mark Foley via samba <samba at lists.samba.org> wrote:
> >
> > > On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny
> > > <rpenny at samba.org> wrote:
> > > >
> > > > This will then prompt the user for their 'oldpassword' and then
> > > > the new password (twice). There is a gotcha though, as given it
> > > > will only work on a DC, to do the password change from a Unix
> > > > domain member, you need to add '--ipaddress=DCIPADDRESS'
> > > 
> > > I'll try that after I've figured out what the user's expiration
> > > status is. With respect to this command, would the full syntax be:
> > > 
> > > samba-tool user password -U <myuser> --ipaddress=192.168.0.2
> > > 
> > > I've tried that with no syntax error, but haven't pulled the
> > > trigger yet to change the password. I've also tried
> > > --ipaddress=dchostname which also did not give a syntax error.
> >
> > Never tried it with the hostname, but I think the option name gives
> > a big hint ;-)
> >
> > > > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> > > > ldbsearch below ? If so, is the result actually '89' are you
> > > > using some calculation to get '89' ? I ask this because I would
> > > > expect the attribute to contain something like
> > > > '9223372036854775807'
> > > 
> > > Yes, the same ldbsearch.  In fact, that and the calculation were
> > > given to me by you a couple of years ago.  The rest of the
> > > calculation is:
> > > 
> >
> > OK
> >
> > > >
> > > > If you are trying to find out if the users password has expired
> > > > or is near to, you can use rpcclient for this.
> >
> > > 
> > > I did the following:
> > > 
> > > # rpcclient -U "" -N 192.168.0.2    
> > > rpcclient $> enumdomusers
> > > :
> > > user:[mark] rid:[0x457]
> > > :
> > > rpcclient $> queryuser 0x457
> > >         User Name   :   mark
> > >         Full Name   :   Mark Foley
> > > (empty lines removed)
> > >         Logon Time               :      Thu, 29 Mar 2018 17:12:54
> > > EDT Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
> > >         Kickoff Time             :      Wed, 31 Dec 1969 19:00:00
> > > EST Password last set Time   :      Wed, 28 Mar 2018 23:59:08 EDT
> > >         Password can change Time :      Wed, 28 Mar 2018 23:59:08
> > > EDT Password must change Time:      Wed, 27 Jun 2018 00:00:11 EDT
> >
> > > Not sure I see where the expiration is except that Kickoff Time is
> > > set to Dec 31st, 1969 which is likely a zero in that field. Is
> > > that the problem?
> >
> > When the users password expires it must be changed (hint, hint) ;-)
> > Or an even bigger hint, the user needs to change their password
> > before the 27th of June
> >  
> > > 
> > > Why would passwd and kpasswd not reset that?
> >
> > I have no real idea, but it might have something to do with neither
> > of having anything to do with AD.
> >
> 
> I think you're right that although passwd and kpasswd do change the
> domain password for the user, "neither of them have anything to do
> with AD" and hence apparently do not reset the exipriation day. So,
> I've now tried:
> 
> samba-tool user password -U $USER --ipaddress=192.168.0.2

The relevant line in my yad script looks like this:

${SAMBA_TOOL} user password ${NEWPASS} ${IPADDRESS} -U ${USERNAME}
${OLDPASS}

> 
> and that works and does reset the expiration count so that my
> rpcclient query returns 90 days. I can also use the AD/DC host name
> instead of the IP address.
> 
> I'm using this as a $HOME/.kde/Autostart script to check the password
> expiration days-to-go with the KDE desktop. If less than 8 days to
> go, it puts up a GUI dialog inviting the user to change the password.
> This mimics the functionality of Windows. Without something like
> this, the user does not know his password is about to expire and he
> finds himself locked out.

Do you have the checking of the password and the changing in one
script ?
I use two, one to check when the password expires and another to change
it.

Rowland