[Samba] How to change Domain password as normal user?
Yvan Masson
yvan at masson-informatique.fr
Thu Apr 5 19:09:01 UTC 2018
Le 04/04/2018 à 23:40, Mark Foley via samba a écrit :
> On Wed, 4 Apr 2018 08:37:26 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:
>>
>> On Tue, 03 Apr 2018 23:34:13 -0400
>> Mark Foley via samba <samba at lists.samba.org> wrote:
>>
>>> On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny at samba.org>
>>> wrote:
>>>>
>>>> On Sat, 31 Mar 2018 11:42:07 -0400
>>>> Mark Foley via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny
>>>>> <rpenny at samba.org> wrote:
>>>>>>
>>>>>> This will then prompt the user for their 'oldpassword' and then
>>>>>> the new password (twice). There is a gotcha though, as given it
>>>>>> will only work on a DC, to do the password change from a Unix
>>>>>> domain member, you need to add '--ipaddress=DCIPADDRESS'
>>>>>
>>>>> I'll try that after I've figured out what the user's expiration
>>>>> status is. With respect to this command, would the full syntax be:
>>>>>
>>>>> samba-tool user password -U <myuser> --ipaddress=192.168.0.2
>>>>>
>>>>> I've tried that with no syntax error, but haven't pulled the
>>>>> trigger yet to change the password. I've also tried
>>>>> --ipaddress=dchostname which also did not give a syntax error.
>>>>
>>>> Never tried it with the hostname, but I think the option name gives
>>>> a big hint ;-)
>>>>
>>>>>> Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
>>>>>> ldbsearch below ? If so, is the result actually '89' are you
>>>>>> using some calculation to get '89' ? I ask this because I would
>>>>>> expect the attribute to contain something like
>>>>>> '9223372036854775807'
>>>>>
>>>>> Yes, the same ldbsearch. In fact, that and the calculation were
>>>>> given to me by you a couple of years ago. The rest of the
>>>>> calculation is:
>>>>>
>>>>
>>>> OK
>>>>
>>>>>>
>>>>>> If you are trying to find out if the users password has expired
>>>>>> or is near to, you can use rpcclient for this.
>>>>
>>>>>
>>>>> I did the following:
>>>>>
>>>>> # rpcclient -U "" -N 192.168.0.2
>>>>> rpcclient $> enumdomusers
>>>>> :
>>>>> user:[mark] rid:[0x457]
>>>>> :
>>>>> rpcclient $> queryuser 0x457
>>>>> User Name : mark
>>>>> Full Name : Mark Foley
>>>>> (empty lines removed)
>>>>> Logon Time : Thu, 29 Mar 2018 17:12:54
>>>>> EDT Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
>>>>> Kickoff Time : Wed, 31 Dec 1969 19:00:00
>>>>> EST Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT
>>>>> Password can change Time : Wed, 28 Mar 2018 23:59:08
>>>>> EDT Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT
>>>>
>>>>> Not sure I see where the expiration is except that Kickoff Time is
>>>>> set to Dec 31st, 1969 which is likely a zero in that field. Is
>>>>> that the problem?
>>>>
>>>> When the users password expires it must be changed (hint, hint) ;-)
>>>> Or an even bigger hint, the user needs to change their password
>>>> before the 27th of June
>>>>
>>>>>
>>>>> Why would passwd and kpasswd not reset that?
>>>>
>>>> I have no real idea, but it might have something to do with neither
>>>> of having anything to do with AD.
>>>>
>>>
>>> I think you're right that although passwd and kpasswd do change the
>>> domain password for the user, "neither of them have anything to do
>>> with AD" and hence apparently do not reset the exipriation day. So,
>>> I've now tried:
>>>
>>> samba-tool user password -U $USER --ipaddress=192.168.0.2
>>
>> The relevant line in my yad script looks like this:
>>
>> ${SAMBA_TOOL} user password ${NEWPASS} ${IPADDRESS} -U ${USERNAME}
>> ${OLDPASS}
>>
>>>
>>> and that works and does reset the expiration count so that my
>>> rpcclient query returns 90 days. I can also use the AD/DC host name
>>> instead of the IP address.
>>>
>>> I'm using this as a $HOME/.kde/Autostart script to check the password
>>> expiration days-to-go with the KDE desktop. If less than 8 days to
>>> go, it puts up a GUI dialog inviting the user to change the password.
>>> This mimics the functionality of Windows. Without something like
>>> this, the user does not know his password is about to expire and he
>>> finds himself locked out.
>>
>> Do you have the checking of the password and the changing in one
>> script ?
>> I use two, one to check when the password expires and another to change
>> it.
>
> I'm using one script. It tests the expiration then exits if OK, otherwise, it continues to ask
> the user for the new password. Here's the entire script:
>
> #!/bin/bash
> #
> # Check for and permit changing of Expiring Password
> #
>
> warnDays=8
>
> # CHECK FOR PASSWORD ABOUT TO EXPIRE
>
> expireTime=`/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub "(&(sAMAccountType=805306368)(sAMAccountName=$USER))" msDS-UserPasswordExpiryTimeComputed | \
> grep msDS-UserPasswordExpiryTimeComputed | awk '{print $2}'`
>
> expireDate=$((($expireTime/10000000)-11644473600))
> today=`date +%s`
> togo=$((($expireDate-$today)/86400))
>
> if [ -n "$1" ] # any arg will be a debug mode to display Days to Go only
> then
> echo "[$expireTime]" Days to go: $togo
> exit 0
> fi
>
> if [ $togo -gt $warnDays ]; then exit 0; fi
>
> # Within $warnDays of expiration. Ask user to change PW
>
> IMAGE=/user/util/bin/pw1.png
> TITLE="Change Expiring Password"
>
> if [ "$togo" = 0 ]
> then
> MSG="Your password expires today.\nConsider changing your password."
> else
> MSG="Your password expires in $togo days.\nConsider changing your password."
> fi
>
> badPW=0
>
> while [ 1 = 1 ]
> do
> pw=`yad --form --on-top --center --timeout=300 --timeout-indicator=top --separator="~" \
> --image "$IMAGE" --image-on-top --title "$TITLE" \
> --text="$MSG" \
> --align=right \
> --field="Enter current password:H" \
> --field="Enter new password:H" \
> --field="Confirm Password::H"`
>
> pwOrg=`echo "$pw" | cut "-d~" -f1`
> pw1=`echo "$pw" | cut "-d~" -f2`
> pw2=`echo "$pw" | cut "-d~" -f3`
>
> if [ -z "$pwOrg" ] && [ -z "$pw1" ] && [ -z "$pw2" ]; then exit 0; fi # Cancel
>
> if [ "$pw1" != "$pw2" ]
> then
> MSG="Sorry, passwords do no match. Try again."
> continue
> fi
>
> if [ -z "$pwOrg" ]
> then
> MSG="CURRENT PASSWORD REQUIRED!"
> continue
> fi
>
> # Verify current password
>
> ntlm_auth --username=$USER --password="$pwOrg" > /dev/null 2>&1
> rc=$?
>
> if [ "$rc" != 0 ]
> then
> badPW=$[ $badPW + 1 ]
> if [ $badPW -gt 2 ]; then exit -1; fi # only permit 3 tries
> MSG="WRONG CURRENT PASSWORD. Try again."
> continue
> fi
>
> if [ ${#pw1} -lt 8 ]
> then
> MSG="Password length must be at least 8 characters."
> continue
> fi
>
> # Verify Complexity: at least 1 of: upper case, lower case, number, punctuation. No spaces.
>
> cnt=0
> x=$(echo "$pw1" | grep '[A-Z]')
> if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
>
> x=$(echo "$pw1" | grep '[a-z]')
> if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
>
> x=$(echo "$pw1" | grep '[0-9]')
> if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
>
> x=$(echo "$pw1" | tr -d '[:alnum:]')
> if [ -n "$x" ]; then cnt=$[ $cnt + 1 ]; fi
>
> if [ $cnt -lt 3 ]
> then
> MSG="Password must have 3 of the following: upper case, lower case, number, punctuation."
> continue
> fi
>
> if [ "$pw1" = "$pwOrg" ]
> then
> MSG="You cannot use your previous password. Think of something new."
> continue
> fi
>
> break
> done
>
> # CHANGE PASSWORD
>
> samba-tool user password -U $USER --ipaddress=mail <<EOF
> $pwOrg
> $pw1
> $pw1
> EOF
> status="$?"
>
> if [ "$status" == "0" ]; then
> yad --title "$TITLE" \
> --center \
> --button="gtk-ok:0" \
> --text="Successfully changed password for $USER in AD."
> else
> yad --title "$TITLE" \
> --center \
> --button="gtk-ok:0" \
> --text="Error changing password for $USER in AD."
> fi
>
> exit $status
>
>
> --Mark
>
Hi,
Thanks Mark for this useful script! Maybe it could be on the Samba wiki?
Regards,
Yvan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180405/ce4fdc45/signature.sig>
More information about the samba
mailing list