[Samba] remote password change, if password is expired
Andrew Bartlett
abartlet at samba.org
Tue Mar 27 17:17:08 UTC 2018
On Tue, 2018-03-27 at 15:44 +0200, Marco Gaiarin via samba wrote:
> Mandi! Waishon via samba
> In chel di` si favelave...
>
> >
> > if you like to write something on your own using PHP you can use this library:
> > https://github.com/ldaptools/ldaptools
> > Then ask the users on the webpage for their username and password and bind with it to the LDAP.
> > Then you've to send an delete request of the unicodePwd field with the old password and then an add request with the new password. Both requests have to be in one query otherwise samba is denying the change.
>
> Good hint! Thanks!
>
>
> But i think that in this way password policy and 'check password
> script' are not honoured, eg you modify directly the LDAP data without
> password quality checks.
The password policy checks are, in active directory, applied even on
LDAP password changes.
To change an expired password the bind needs to be as a service user
and the password change needs to then reference the expired user (which
is the part we got subtly wrong in the security issue earlier this
month).
> For this reason i prefere to use ''standard'' tools, eg PAM/winbind.
pam_winbind should do it. It uses the SAMR password change but binds
to SAMR as the machine account, so should be able to change an expired
password.
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list