[Samba] How to change Domain password as normal user?
Mark Foley
mfoley at ohprs.org
Wed Apr 4 21:40:34 UTC 2018
On Wed, 4 Apr 2018 08:37:26 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Tue, 03 Apr 2018 23:34:13 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org>
> > wrote:
> > >
> > > On Sat, 31 Mar 2018 11:42:07 -0400
> > > Mark Foley via samba <samba at lists.samba.org> wrote:
> > >
> > > > On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny
> > > > <rpenny at samba.org> wrote:
> > > > >
> > > > > This will then prompt the user for their 'oldpassword' and then
> > > > > the new password (twice). There is a gotcha though, as given it
> > > > > will only work on a DC, to do the password change from a Unix
> > > > > domain member, you need to add '--ipaddress=DCIPADDRESS'
> > > >
> > > > I'll try that after I've figured out what the user's expiration
> > > > status is. With respect to this command, would the full syntax be:
> > > >
> > > > samba-tool user password -U <myuser> --ipaddress=192.168.0.2
> > > >
> > > > I've tried that with no syntax error, but haven't pulled the
> > > > trigger yet to change the password. I've also tried
> > > > --ipaddress=dchostname which also did not give a syntax error.
> > >
> > > Never tried it with the hostname, but I think the option name gives
> > > a big hint ;-)
> > >
> > > > > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> > > > > ldbsearch below ? If so, is the result actually '89' are you
> > > > > using some calculation to get '89' ? I ask this because I would
> > > > > expect the attribute to contain something like
> > > > > '9223372036854775807'
> > > >
> > > > Yes, the same ldbsearch. In fact, that and the calculation were
> > > > given to me by you a couple of years ago. The rest of the
> > > > calculation is:
> > > >
> > >
> > > OK
> > >
> > > > >
> > > > > If you are trying to find out if the users password has expired
> > > > > or is near to, you can use rpcclient for this.
> > >
> > > >
> > > > I did the following:
> > > >
> > > > # rpcclient -U "" -N 192.168.0.2
> > > > rpcclient $> enumdomusers
> > > > :
> > > > user:[mark] rid:[0x457]
> > > > :
> > > > rpcclient $> queryuser 0x457
> > > > User Name : mark
> > > > Full Name : Mark Foley
> > > > (empty lines removed)
> > > > Logon Time : Thu, 29 Mar 2018 17:12:54
> > > > EDT Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
> > > > Kickoff Time : Wed, 31 Dec 1969 19:00:00
> > > > EST Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT
> > > > Password can change Time : Wed, 28 Mar 2018 23:59:08
> > > > EDT Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT
> > >
> > > > Not sure I see where the expiration is except that Kickoff Time is
> > > > set to Dec 31st, 1969 which is likely a zero in that field. Is
> > > > that the problem?
> > >
> > > When the users password expires it must be changed (hint, hint) ;-)
> > > Or an even bigger hint, the user needs to change their password
> > > before the 27th of June
> > >
> > > >
> > > > Why would passwd and kpasswd not reset that?
> > >
> > > I have no real idea, but it might have something to do with neither
> > > of having anything to do with AD.
> > >
> >
> > I think you're right that although passwd and kpasswd do change the
> > domain password for the user, "neither of them have anything to do
> > with AD" and hence apparently do not reset the exipriation day. So,
> > I've now tried:
> >
> > samba-tool user password -U $USER --ipaddress=192.168.0.2
>
> The relevant line in my yad script looks like this:
>
> ${SAMBA_TOOL} user password ${NEWPASS} ${IPADDRESS} -U ${USERNAME}
> ${OLDPASS}
>
> >
> > and that works and does reset the expiration count so that my
> > rpcclient query returns 90 days. I can also use the AD/DC host name
> > instead of the IP address.
> >
> > I'm using this as a $HOME/.kde/Autostart script to check the password
> > expiration days-to-go with the KDE desktop. If less than 8 days to
> > go, it puts up a GUI dialog inviting the user to change the password.
> > This mimics the functionality of Windows. Without something like
> > this, the user does not know his password is about to expire and he
> > finds himself locked out.
>
> Do you have the checking of the password and the changing in one
> script ?
> I use two, one to check when the password expires and another to change
> it.
I'm using one script. It tests the expiration then exits if OK, otherwise, it continues to ask
the user for the new password. Here's the entire script:
#!/bin/bash
#
# Check for and permit changing of Expiring Password
#
warnDays=8
# CHECK FOR PASSWORD ABOUT TO EXPIRE
expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed | \
grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`
expireDate=$((($expireTime/10000000)-11644473600))
today=`date +%s`
togo=$((($expireDate-$today)/86400))
if [ -n "$1" ] # any arg will be a debug mode to display Days to Go only
then
echo "[$expireTime]" Days to go: $togo
exit 0
fi
if [ $togo -gt $warnDays ]; then exit 0; fi
# Within $warnDays of expiration. Ask user to change PW
IMAGE=/user/util/bin/pw1.png
TITLE="Change Expiring Password"
if [ "$togo" = 0 ]
then
MSG="Your password expires today.\nConsider changing your password."
else
MSG="Your password expires in $togo days.\nConsider changing your password."
fi
badPW=0
while [ 1 = 1 ]
do
pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top --separator="~" \
--image "$IMAGE" --image-on-top --title "$TITLE" \
--text="$MSG" \
--align=right \
--field="Enter current password:H" \
--field="Enter new password:H" \
--field="Confirm Password::H"`
pwOrg=`echo "$pw" | cut "-d~" -f1`
pw1=`echo "$pw" | cut "-d~" -f2`
pw2=`echo "$pw" | cut "-d~" -f3`
if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi # Cancel
if [ "$pw1" != "$pw2" ]
then
MSG="Sorry, passwords do no match. Try again."
continue
fi
if [ -z "$pwOrg" ]
then
MSG="CURRENT PASSWORD REQUIRED!"
continue
fi
# Verify current password
ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1
rc=$?
if [ "$rc" != 0 ]
then
badPW=$[ $badPW + 1 ]
if [ $badPW -gt 2 ]; then exit -1; fi # only permit 3 tries
MSG="WRONG CURRENT PASSWORD. Try again."
continue
fi
if [ ${#pw1} -lt 8 ]
then
MSG="Password length must be at least 8 characters."
continue
fi
# Verify Complexity: at least 1 of: upper case, lower case, number, punctuation. No spaces.
cnt=0
x=$(echo "$pw1" | grep '[A-Z]')
if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
x=$(echo "$pw1" | grep '[a-z]')
if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
x=$(echo "$pw1" | grep '[0-9]')
if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
x=$(echo "$pw1" | tr -d '[:alnum:]')
if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
if [ $cnt -lt 3 ]
then
MSG="Password must have 3 of the following: upper case, lower case, number, punctuation."
continue
fi
if [ "$pw1" = "$pwOrg" ]
then
MSG="You cannot use your previous password. Think of something new."
continue
fi
break
done
# CHANGE PASSWORD
samba-tool user password -U $USER --ipaddress=mail <<EOF
$pwOrg
$pw1
$pw1
EOF
status="$?"
if [ "$status" == "0" ]; then
yad --title "$TITLE" \
--center \
--button="gtk-ok:0" \
--text="Successfully changed password for $USER in AD."
else
yad --title "$TITLE" \
--center \
--button="gtk-ok:0" \
--text="Error changing password for $USER in AD."
fi
exit $status
--Mark
More information about the samba
mailing list