[Samba] How to change Domain password as normal user?

Yvan Masson yvan at masson-informatique.fr
Thu Apr 5 19:09:01 UTC 2018


Le 04/04/2018 à 23:40, Mark Foley via samba a écrit :
> On Wed, 4 Apr 2018 08:37:26 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:
>>
>> On Tue, 03 Apr 2018 23:34:13 -0400
>> Mark Foley via samba <samba at lists.samba.org> wrote:
>>
>>> On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org>
>>> wrote:
>>>>
>>>> On Sat, 31 Mar 2018 11:42:07 -0400
>>>> Mark Foley via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny
>>>>> <rpenny at samba.org> wrote:
>>>>>>
>>>>>> This will then prompt the user for their 'oldpassword' and then
>>>>>> the new password (twice). There is a gotcha though, as given it
>>>>>> will only work on a DC, to do the password change from a Unix
>>>>>> domain member, you need to add '--ipaddress=DCIPADDRESS'
>>>>>
>>>>> I'll try that after I've figured out what the user's expiration
>>>>> status is. With respect to this command, would the full syntax be:
>>>>>
>>>>> samba-tool user password -U <myuser> --ipaddress=192.168.0.2
>>>>>
>>>>> I've tried that with no syntax error, but haven't pulled the
>>>>> trigger yet to change the password. I've also tried
>>>>> --ipaddress=dchostname which also did not give a syntax error.
>>>>
>>>> Never tried it with the hostname, but I think the option name gives
>>>> a big hint ;-)
>>>>
>>>>>> Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
>>>>>> ldbsearch below ? If so, is the result actually '89' are you
>>>>>> using some calculation to get '89' ? I ask this because I would
>>>>>> expect the attribute to contain something like
>>>>>> '9223372036854775807'
>>>>>
>>>>> Yes, the same ldbsearch.  In fact, that and the calculation were
>>>>> given to me by you a couple of years ago.  The rest of the
>>>>> calculation is:
>>>>>
>>>>
>>>> OK
>>>>
>>>>>>
>>>>>> If you are trying to find out if the users password has expired
>>>>>> or is near to, you can use rpcclient for this.
>>>>
>>>>>
>>>>> I did the following:
>>>>>
>>>>> # rpcclient -U "" -N 192.168.0.2    
>>>>> rpcclient $> enumdomusers
>>>>> :
>>>>> user:[mark] rid:[0x457]
>>>>> :
>>>>> rpcclient $> queryuser 0x457
>>>>>         User Name   :   mark
>>>>>         Full Name   :   Mark Foley
>>>>> (empty lines removed)
>>>>>         Logon Time               :      Thu, 29 Mar 2018 17:12:54
>>>>> EDT Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
>>>>>         Kickoff Time             :      Wed, 31 Dec 1969 19:00:00
>>>>> EST Password last set Time   :      Wed, 28 Mar 2018 23:59:08 EDT
>>>>>         Password can change Time :      Wed, 28 Mar 2018 23:59:08
>>>>> EDT Password must change Time:      Wed, 27 Jun 2018 00:00:11 EDT
>>>>
>>>>> Not sure I see where the expiration is except that Kickoff Time is
>>>>> set to Dec 31st, 1969 which is likely a zero in that field. Is
>>>>> that the problem?
>>>>
>>>> When the users password expires it must be changed (hint, hint) ;-)
>>>> Or an even bigger hint, the user needs to change their password
>>>> before the 27th of June
>>>>  
>>>>>
>>>>> Why would passwd and kpasswd not reset that?
>>>>
>>>> I have no real idea, but it might have something to do with neither
>>>> of having anything to do with AD.
>>>>
>>>
>>> I think you're right that although passwd and kpasswd do change the
>>> domain password for the user, "neither of them have anything to do
>>> with AD" and hence apparently do not reset the exipriation day. So,
>>> I've now tried:
>>>
>>> samba-tool user password -U $USER --ipaddress=192.168.0.2
>>
>> The relevant line in my yad script looks like this:
>>
>> ${SAMBA_TOOL} user password ${NEWPASS} ${IPADDRESS} -U ${USERNAME}
>> ${OLDPASS}
>>
>>>
>>> and that works and does reset the expiration count so that my
>>> rpcclient query returns 90 days. I can also use the AD/DC host name
>>> instead of the IP address.
>>>
>>> I'm using this as a $HOME/.kde/Autostart script to check the password
>>> expiration days-to-go with the KDE desktop. If less than 8 days to
>>> go, it puts up a GUI dialog inviting the user to change the password.
>>> This mimics the functionality of Windows. Without something like
>>> this, the user does not know his password is about to expire and he
>>> finds himself locked out.
>>
>> Do you have the checking of the password and the changing in one
>> script ?
>> I use two, one to check when the password expires and another to change
>> it.
> 
> I'm using one script. It tests the expiration then exits if OK, otherwise, it continues to ask
> the user for the new password. Here's the entire script:
> 
> #!/bin/bash
> #
> # Check for and permit changing of Expiring Password
> #
> 
> warnDays=8
> 
> # CHECK FOR PASSWORD ABOUT TO EXPIRE
> 
> expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed | \
>   grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`
> 
> expireDate=$((($expireTime/10000000)-11644473600))
> today=`date +%s`
> togo=$((($expireDate-$today)/86400))
> 
> if [ -n "$1" ]  # any arg will be a debug mode to display Days to Go only
> then
>     echo "[$expireTime]" Days to go: $togo
>     exit 0
> fi
> 
> if [ $togo -gt $warnDays ]; then exit 0; fi
> 
> # Within $warnDays of expiration. Ask user to change PW
> 
> IMAGE=/user/util/bin/pw1.png
> TITLE="Change Expiring Password"
> 
> if [ "$togo" = 0 ]
> then
>     MSG="Your password expires today.\nConsider changing your password."
> else
>     MSG="Your password expires in $togo days.\nConsider changing your password."
> fi
> 
> badPW=0
> 
> while [ 1 = 1 ]
> do
>     pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top --separator="~" \
>         --image "$IMAGE" --image-on-top --title "$TITLE" \
>         --text="$MSG" \
>         --align=right \
>         --field="Enter current password:H" \
>         --field="Enter new password:H" \
>         --field="Confirm Password::H"`
> 
>     pwOrg=`echo "$pw" | cut "-d~" -f1`
>     pw1=`echo "$pw" | cut "-d~" -f2`
>     pw2=`echo "$pw" | cut "-d~" -f3`
> 
>     if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi  # Cancel
> 
>     if [ "$pw1" != "$pw2" ]
>     then
>         MSG="Sorry, passwords do no match. Try again."
>         continue
>     fi
> 
>     if [ -z "$pwOrg" ]
>     then
>         MSG="CURRENT PASSWORD REQUIRED!"
>         continue
>     fi
> 
>     # Verify current password
> 
>     ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1
>     rc=$?
> 
>     if [ "$rc" != 0 ]
>     then
>         badPW=$[ $badPW + 1 ]
>         if [ $badPW -gt 2 ]; then exit -1; fi   # only permit 3 tries
>         MSG="WRONG CURRENT PASSWORD. Try again."
>         continue
>     fi    
> 
>     if [ ${#pw1} -lt 8 ]
>     then
>         MSG="Password length must be at least 8 characters."
>         continue
>     fi
> 
>     # Verify Complexity: at least 1 of: upper case, lower case, number, punctuation. No spaces.
> 
>     cnt=0
>     x=$(echo "$pw1" | grep '[A-Z]')
>     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> 
>     x=$(echo "$pw1" | grep '[a-z]')
>     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> 
>     x=$(echo "$pw1" | grep '[0-9]')
>     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> 
>     x=$(echo "$pw1" | tr -d '[:alnum:]')
>     if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
> 
>     if [ $cnt -lt 3 ]
>     then
>         MSG="Password must have 3 of the following: upper case, lower case, number, punctuation."
>         continue
>     fi
>     
>     if [ "$pw1" = "$pwOrg" ]
>     then
>         MSG="You cannot use your previous password. Think of something new."
>         continue
>     fi
> 
>     break
> done
> 
> # CHANGE PASSWORD
>     
> samba-tool user password -U $USER --ipaddress=mail <<EOF 
> $pwOrg
> $pw1
> $pw1
> EOF
> status="$?"
> 
> if [ "$status" == "0" ]; then
>     yad --title "$TITLE" \
>     --center \
>     --button="gtk-ok:0" \
>     --text="Successfully changed password for $USER in AD."
> else
>     yad --title "$TITLE" \
>     --center \
>     --button="gtk-ok:0" \
>     --text="Error changing password for $USER in AD."
> fi
> 
> exit $status
> 
> 
> --Mark
> 

Hi,

Thanks Mark for this useful script! Maybe it could be on the Samba wiki?

Regards,
Yvan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180405/ce4fdc45/signature.sig>


More information about the samba mailing list