[Samba] How to change Domain password as normal user?

Mark Foley mfoley at ohprs.org
Thu Apr 5 15:31:18 UTC 2018


OK, I'm having issues with the problem.  To summarize, I'm trying to have a normal user change
his password from a domain member.  I've tried: passwd, kpasswd and 'samba-tool user password
-U $USER --ipaddress=<IPofAD/DC>'.  All mechanisms do change the domain password and I can log
into Windows and Linux domain members, and website requiring domain authentication. 

HOWEVER, after 1 to 3 days the account become locked out.  About 2 days ago I did the
samba-tool method and reported in this thread that it worked.  Today I tried to log into my
Windows workstation and was locked out.  The Samba log message was:

[2018/04/05 05:11:38.549997, 2] authentication for user [HPRS/myuser] FAILED with error
NT_STATUS_ACCOUNT_LOCKED_OUT

ntlm_auth gives:

Unable to Authenticate: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked out (0xc0000234)

This all despite the rcpclient saying the expiration is in July.

As the domain administrator I ran 'samba-tool user setpassword myuser' and reset the password
and was able to log in. I'm going to not mess with this for a couple of days and see what
happens. 

The rpcclient output shows no indication that the user is locked out. The logon time is shown
at 10:03AM today, but I was unable to log then.

Is there a better tool than rpcclient that will give lockout status?

Does anyone have any idea why this is happening?

rpcclient $> queryuser 0x457
        User Name   :   myuser
        Logon Time               :      Thu, 05 Apr 2018 10:03:45 EDT
        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
        Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
        Password last set Time   :      Thu, 05 Apr 2018 10:25:39 EDT
        Password can change Time :      Thu, 05 Apr 2018 10:25:39 EDT
        Password must change Time:      Wed, 04 Jul 2018 10:26:42 EDT
        unknown_2[0..31]...
        user_rid :      0x457
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x08ffffff
        logon_divs:     168
        bad_password_count:     0x00000000
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...


--Mark



More information about the samba mailing list