[Samba] How to change Domain password as normal user?

Mark Foley mfoley at ohprs.org
Wed Apr 4 21:40:34 UTC 2018


On Wed, 4 Apr 2018 08:37:26 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Tue, 03 Apr 2018 23:34:13 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org>
> > wrote:
> > >
> > > On Sat, 31 Mar 2018 11:42:07 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > > On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny
> > > > <rpenny at samba.org> wrote:
> > > > >
> > > > > This will then prompt the user for their 'oldpassword' and then
> > > > > the new password (twice). There is a gotcha though, as given it
> > > > > will only work on a DC, to do the password change from a Unix
> > > > > domain member, you need to add '--ipaddress=DCIPADDRESS'
> > > > 
> > > > I'll try that after I've figured out what the user's expiration
> > > > status is. With respect to this command, would the full syntax be:
> > > > 
> > > > samba-tool user password -U <myuser> --ipaddress=192.168.0.2
> > > > 
> > > > I've tried that with no syntax error, but haven't pulled the
> > > > trigger yet to change the password. I've also tried
> > > > --ipaddress=dchostname which also did not give a syntax error.
> > >
> > > Never tried it with the hostname, but I think the option name gives
> > > a big hint ;-)
> > >
> > > > > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> > > > > ldbsearch below ? If so, is the result actually '89' are you
> > > > > using some calculation to get '89' ? I ask this because I would
> > > > > expect the attribute to contain something like
> > > > > '9223372036854775807'
> > > > 
> > > > Yes, the same ldbsearch.  In fact, that and the calculation were
> > > > given to me by you a couple of years ago.  The rest of the
> > > > calculation is:
> > > > 
> > >
> > > OK
> > >
> > > > >
> > > > > If you are trying to find out if the users password has expired
> > > > > or is near to, you can use rpcclient for this.
> > >
> > > > 
> > > > I did the following:
> > > > 
> > > > # rpcclient -U "" -N 192.168.0.2    
> > > > rpcclient $> enumdomusers
> > > > :
> > > > user:[mark] rid:[0x457]
> > > > :
> > > > rpcclient $> queryuser 0x457
> > > >         User Name   :   mark
> > > >         Full Name   :   Mark Foley
> > > > (empty lines removed)
> > > >         Logon Time               :      Thu, 29 Mar 2018 17:12:54
> > > > EDT Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
> > > >         Kickoff Time             :      Wed, 31 Dec 1969 19:00:00
> > > > EST Password last set Time   :      Wed, 28 Mar 2018 23:59:08 EDT
> > > >         Password can change Time :      Wed, 28 Mar 2018 23:59:08
> > > > EDT Password must change Time:      Wed, 27 Jun 2018 00:00:11 EDT
> > >
> > > > Not sure I see where the expiration is except that Kickoff Time is
> > > > set to Dec 31st, 1969 which is likely a zero in that field. Is
> > > > that the problem?
> > >
> > > When the users password expires it must be changed (hint, hint) ;-)
> > > Or an even bigger hint, the user needs to change their password
> > > before the 27th of June
> > >  
> > > > 
> > > > Why would passwd and kpasswd not reset that?
> > >
> > > I have no real idea, but it might have something to do with neither
> > > of having anything to do with AD.
> > >
> > 
> > I think you're right that although passwd and kpasswd do change the
> > domain password for the user, "neither of them have anything to do
> > with AD" and hence apparently do not reset the exipriation day. So,
> > I've now tried:
> > 
> > samba-tool user password -U $USER --ipaddress=192.168.0.2
>
> The relevant line in my yad script looks like this:
>
> ${SAMBA_TOOL} user password ${NEWPASS} ${IPADDRESS} -U ${USERNAME}
> ${OLDPASS}
>
> > 
> > and that works and does reset the expiration count so that my
> > rpcclient query returns 90 days. I can also use the AD/DC host name
> > instead of the IP address.
> > 
> > I'm using this as a $HOME/.kde/Autostart script to check the password
> > expiration days-to-go with the KDE desktop. If less than 8 days to
> > go, it puts up a GUI dialog inviting the user to change the password.
> > This mimics the functionality of Windows. Without something like
> > this, the user does not know his password is about to expire and he
> > finds himself locked out.
>
> Do you have the checking of the password and the changing in one
> script ?
> I use two, one to check when the password expires and another to change
> it.

I'm using one script. It tests the expiration then exits if OK, otherwise, it continues to ask
the user for the new password. Here's the entire script:

#!/bin/bash
#
# Check for and permit changing of Expiring Password
#

warnDays=8

# CHECK FOR PASSWORD ABOUT TO EXPIRE

expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed | \
  grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`

expireDate=$((($expireTime/10000000)-11644473600))
today=`date +%s`
togo=$((($expireDate-$today)/86400))

if [ -n "$1" ]  # any arg will be a debug mode to display Days to Go only
then
    echo "[$expireTime]" Days to go: $togo
    exit 0
fi

if [ $togo -gt $warnDays ]; then exit 0; fi

# Within $warnDays of expiration. Ask user to change PW

IMAGE=/user/util/bin/pw1.png
TITLE="Change Expiring Password"

if [ "$togo" = 0 ]
then
    MSG="Your password expires today.\nConsider changing your password."
else
    MSG="Your password expires in $togo days.\nConsider changing your password."
fi

badPW=0

while [ 1 = 1 ]
do
    pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top --separator="~" \
        --image "$IMAGE" --image-on-top --title "$TITLE" \
        --text="$MSG" \
        --align=right \
        --field="Enter current password:H" \
        --field="Enter new password:H" \
        --field="Confirm Password::H"`

    pwOrg=`echo "$pw" | cut "-d~" -f1`
    pw1=`echo "$pw" | cut "-d~" -f2`
    pw2=`echo "$pw" | cut "-d~" -f3`

    if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi  # Cancel

    if [ "$pw1" != "$pw2" ]
    then
        MSG="Sorry, passwords do no match. Try again."
        continue
    fi

    if [ -z "$pwOrg" ]
    then
        MSG="CURRENT PASSWORD REQUIRED!"
        continue
    fi

    # Verify current password

    ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1
    rc=$?

    if [ "$rc" != 0 ]
    then
        badPW=$[ $badPW + 1 ]
        if [ $badPW -gt 2 ]; then exit -1; fi   # only permit 3 tries
        MSG="WRONG CURRENT PASSWORD. Try again."
        continue
    fi    

    if [ ${#pw1} -lt 8 ]
    then
        MSG="Password length must be at least 8 characters."
        continue
    fi

    # Verify Complexity: at least 1 of: upper case, lower case, number, punctuation. No spaces.

    cnt=0
    x=$(echo "$pw1" | grep '[A-Z]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    x=$(echo "$pw1" | grep '[a-z]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    x=$(echo "$pw1" | grep '[0-9]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    x=$(echo "$pw1" | tr -d '[:alnum:]')
    if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi

    if [ $cnt -lt 3 ]
    then
        MSG="Password must have 3 of the following: upper case, lower case, number, punctuation."
        continue
    fi
    
    if [ "$pw1" = "$pwOrg" ]
    then
        MSG="You cannot use your previous password. Think of something new."
        continue
    fi

    break
done

# CHANGE PASSWORD
    
samba-tool user password -U $USER --ipaddress=mail <<EOF 
$pwOrg
$pw1
$pw1
EOF
status="$?"

if [ "$status" == "0" ]; then
    yad --title "$TITLE" \
    --center \
    --button="gtk-ok:0" \
    --text="Successfully changed password for $USER in AD."
else
    yad --title "$TITLE" \
    --center \
    --button="gtk-ok:0" \
    --text="Error changing password for $USER in AD."
fi

exit $status


--Mark



More information about the samba mailing list