[Samba] remote password change, if password is expired

Andrew Bartlett abartlet at samba.org
Tue Mar 27 17:17:08 UTC 2018

On Tue, 2018-03-27 at 15:44 +0200, Marco Gaiarin via samba wrote:
> Mandi! Waishon via samba
>   In chel di` si favelave...
> > 
> > if you like to write something on your own using PHP you can use this library:
> > https://github.com/ldaptools/ldaptools
> > Then ask the users on the webpage for their username and password and bind with it to the LDAP.
> > Then you've to send an delete request of the unicodePwd field with the old password and then an add request with the new password. Both requests have to be in one query otherwise samba is denying the change.
> Good hint! Thanks!
> But i think that in this way password policy and 'check password
> script' are not honoured, eg you modify directly the LDAP data without
> password quality checks.

The password policy checks are, in active directory, applied even on
LDAP password changes. 

To change an expired password the bind needs to be as a service user
and the password change needs to then reference the expired user (which
is the part we got subtly wrong in the security issue earlier this

> For this reason i prefere to use ''standard'' tools, eg PAM/winbind.

pam_winbind should do it.  It uses the SAMR password change but binds
to SAMR as the machine account, so should be able to change an expired

I hope this helps,

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list