[Samba] How to change Domain password as normal user?

Mark Foley mfoley at ohprs.org
Tue Mar 27 17:38:56 UTC 2018 

On Mon, 26 Mar 2018 08:08:53 +0200 Michael Wandel <m.wandel at t-online.de> wrote:
>
> Am 26.03.2018 um 06:31 schrieb Mark Foley via samba:
> > As a normal user, I want to change my Domain Password. I've tried:
> > 
> > $ samba-tool user setpassword myuserId --newpassword='mynewpassword'
> > 
> > but get the error:
> > 
> > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file
> > /var/lib/samba/private/sam.ldb: Permission denied
> > 
> > Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied
> > Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open
> > tdb '/var/lib/samba/private/sam.ldb': Permission denied
> > ERROR(ldb): uncaught exception - Unable to open tdb '/var/lib/samba/private/sam.ldb':
> > Permission denied
> >   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib64/python2.7/site-packages/samba/netcmd/user.py", line 602, in run
> >     credentials=creds, lp=lp)
> >   File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in __init__
> >     options=options)
> >   File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 115, in __init__
> >     self.connect(url, flags, options)
> >   File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in connect
> >     options=options)
> > 
> > How do I do this?
> > 
>
> I don't think it's a good idea to change your password direct on the DC
> with a normal user login. You don't have rights to the "holy" sam.ldb.
>
> I'll refer the way to change the password from a joined linuxclient, by
> example via pam with the normal passwd program or kpasswd (if you have
> kerberos clients progs installed) or from a joined windows client.
>

I'm trying this from a domain member, and from a yad script that run upon login and checks the
expiration of the password.  It was a script given to me by Roland, but proably he expected the
change to be done from root. 

I can change the pw using the normal 'passwd', and that does change the domain crentials, but
as this is done in a script, I need something that will work with stdin.  I've triled chpasswd,
but that is only permitted by root.  The following did work for me in the yad script:

passwd <<EOF
$oldpw
$newpw
$newpw
EOF


--Mark

More information about the samba mailing list