[Samba] How to change Domain password as normal user?
Mark Foley
mfoley at ohprs.org
Thu Apr 5 15:31:18 UTC 2018
OK, I'm having issues with the problem. To summarize, I'm trying to have a normal user change
his password from a domain member. I've tried: passwd, kpasswd and 'samba-tool user password
-U $USER --ipaddress=<IPofAD/DC>'. All mechanisms do change the domain password and I can log
into Windows and Linux domain members, and website requiring domain authentication.
HOWEVER, after 1 to 3 days the account become locked out. About 2 days ago I did the
samba-tool method and reported in this thread that it worked. Today I tried to log into my
Windows workstation and was locked out. The Samba log message was:
[2018/04/05 05:11:38.549997, 2] authentication for user [HPRS/myuser] FAILED with error
NT_STATUS_ACCOUNT_LOCKED_OUT
ntlm_auth gives:
Unable to Authenticate: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked out (0xc0000234)
This all despite the rcpclient saying the expiration is in July.
As the domain administrator I ran 'samba-tool user setpassword myuser' and reset the password
and was able to log in. I'm going to not mess with this for a couple of days and see what
happens.
The rpcclient output shows no indication that the user is locked out. The logon time is shown
at 10:03AM today, but I was unable to log then.
Is there a better tool than rpcclient that will give lockout status?
Does anyone have any idea why this is happening?
rpcclient $> queryuser 0x457
User Name : myuser
Logon Time : Thu, 05 Apr 2018 10:03:45 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Thu, 05 Apr 2018 10:25:39 EDT
Password can change Time : Thu, 05 Apr 2018 10:25:39 EDT
Password must change Time: Wed, 04 Jul 2018 10:26:42 EDT
unknown_2[0..31]...
user_rid : 0x457
group_rid: 0x201
acb_info : 0x00000010
fields_present: 0x08ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000000
padding1[0..7]...
logon_hrs[0..21]...
--Mark
More information about the samba
mailing list