[Samba] How to change Domain password as normal user?

Mark Foley mfoley at ohprs.org
Fri Apr 13 18:49:44 UTC 2018

>From samba-bounces at lists.samba.org  Fri Apr 13 09:46:32 2018
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Date: Fri, 13 Apr 2018 09:45:14 -0400
Organization: Ohio Highway Patrol Retirement System
To: samba at lists.samba.org
User-Agent: Heirloom mailx 12.5 7/5/10
Subject: Re: [Samba] How to change Domain password as normal user?
X-BeenThere: samba at lists.samba.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: General questions regarding Samba <samba.lists.samba.org>
List-Unsubscribe: <https://lists.samba.org/mailman/options/samba>,
 <mailto:samba-request at lists.samba.org?subject=unsubscribe>
List-Archive: <http://lists.samba.org/pipermail/samba/>
List-Post: <mailto:samba at lists.samba.org>
List-Help: <mailto:samba-request at lists.samba.org?subject=help>
List-Subscribe: <https://lists.samba.org/mailman/listinfo/samba>,
 <mailto:samba-request at lists.samba.org?subject=subscribe>
From: Mark Foley via samba <samba at lists.samba.org>
Reply-To: Mark Foley <mfoley at ohprs.org>
Content-Type: text/plain; charset="utf-8"
Errors-To: samba-bounces at lists.samba.org
Sender: "samba" <samba-bounces at lists.samba.org>
X-Spam-Status: No, score=-106.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	autolearn=unavailable autolearn_force=no version=3.4.1-_revision__1.25__
	* -100 USER_IN_WHITELIST From: address is in the user's white-list
	* -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
	*      domain
	* -6.0 USER_IN_WHITELIST_TO User is listed in 'whitelist_to'
	* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
	*      valid
	* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
	*       domain
X-Spam-Checker-Version: SpamAssassin 3.4.1-_revision__1.25__ (2015-04-28) on

On Thu, 5 Apr 2018 16:59:15 +0100 Rowland Penny <rpenny at samba.org> wrote:
> On Thu, 05 Apr 2018 11:31:18 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
> > OK, I'm having issues with the problem.  To summarize, I'm trying to
> > have a normal user change his password from a domain member.  I've
> > tried: passwd, kpasswd and 'samba-tool user password -U $USER
> > --ipaddress=<IPofAD/DC>'.  All mechanisms do change the domain
> > password and I can log into Windows and Linux domain members, and
> > website requiring domain authentication. 
> > 
> > HOWEVER, after 1 to 3 days the account become locked out.  About 2
> > days ago I did the samba-tool method and reported in this thread that
> > it worked.  Today I tried to log into my Windows workstation and was
> > locked out.  The Samba log message was:
> > 
> > [2018/04/05 05:11:38.549997, 2] authentication for user [HPRS/myuser]
> > 
> > ntlm_auth gives:
> > 
> > Unable to Authenticate: NT_STATUS_ACCOUNT_LOCKED_OUT: Account locked
> > out (0xc0000234)
> > 
> > This all despite the rcpclient saying the expiration is in July.
> > 
> The problem here is that you are mixing up an expired password and an
> account that is locked out.
> An account can get logged out for various reasons, but the main one is
> something trying to auth with an old or wrong password. Do you have
> anything that tries to authenticate to AD with the username and
> password, if so, check it is using the right password, mobile phones
> are a favourite place to start.
> Rowland

I think there might be a bug.

A week ago I used 'samba-tool user setpassword me' as the domain administrator from the AD
server to reset my normal user domain password.  That worked for the past week with no lockout
issues.  So, yesterday I decided to again try

samba-tool user password -U $USER --ipaddress=mail

from the domain member workstation as the normal user, $USER. Again, that worked. However, once
again today (the next day) I am locked out.

Furthermore, if I try to use samba-tool as the Domain Admin to set the password to the same
value as the locked out one, I still could not get in. I had to change the password to
something different.

This behavior is consistent. If, as the normal user, I change the domain password using
samba-tool from the domain member computer, I get locked out within about a day. If I do the
same as the domain admin, no lockout happens.

I know with certainty this is NOT related to cell phones or other programs trying to repeatedly
authenticate. For one thing, I have no cell phone or remote mail client accessing this domain.
Also, I send an email notice for EVERY failed domain login attempt. There are no such failures
in the samba log.

I think there is a bug afoot. I would be happy to try any tests anyone might suggest.


Samba 4.4.16

6 hours Later ...

After resetting to a different password using samba-tool as domain administrator from the AD
server 6 hours ago, and being able to successfully log in, I find myself locked out AGAIN!

I need a way to reset the lockout indicator. This is a big problem.


More information about the samba mailing list