[Samba] How to change Domain password as normal user?

Wed Mar 28 07:09:43 UTC 2018

On Tue, 27 Mar 2018 13:38:56 -0400 Mark Foley wrote:
>
> On Mon, 26 Mar 2018 08:08:53 +0200 Michael Wandel <m.wandel at t-online.de> wrote:
> >
> > Am 26.03.2018 um 06:31 schrieb Mark Foley via samba:
> > > As a normal user, I want to change my Domain Password. I've tried:
> > > 
> > > $ samba-tool user setpassword myuserId --newpassword='mynewpassword'
> > > 
> > > but get the error:
> > > 
> > > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file
> > > /var/lib/samba/private/sam.ldb: Permission denied
> > > 
> > > Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied
> > > Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open
> > > tdb '/var/lib/samba/private/sam.ldb': Permission denied
> > > ERROR(ldb): uncaught exception - Unable to open tdb '/var/lib/samba/private/sam.ldb':
> > > Permission denied
> > >   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
> > >     return self.run(*args, **kwargs)
> > >   File "/usr/lib64/python2.7/site-packages/samba/netcmd/user.py", line 602, in run
> > >     credentials=creds, lp=lp)
> > >   File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in __init__
> > >     options=options)
> > >   File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 115, in __init__
> > >     self.connect(url, flags, options)
> > >   File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in connect
> > >     options=options)
> > > 
> > > How do I do this?
> > > 
> >
> > I don't think it's a good idea to change your password direct on the DC
> > with a normal user login. You don't have rights to the "holy" sam.ldb.
> >
> > I'll refer the way to change the password from a joined linuxclient, by
> > example via pam with the normal passwd program or kpasswd (if you have
> > kerberos clients progs installed) or from a joined windows client.
> >
>
> I'm trying this from a domain member, and from a yad script that run upon login and checks the
> expiration of the password.  It was a script given to me by Roland, but proably he expected the
> change to be done from root. 
>
> I can change the pw using the normal 'passwd', and that does change the domain crentials, but
> as this is done in a script, I need something that will work with stdin.  I've triled chpasswd,
> but that is only permitted by root.  The following did work for me in the yad script:
>
> passwd <<EOF
> $oldpw
> $newpw
> $newpw
> EOF
>

Actually, that didn't quite work. It did change the domain password, but didn't reset the
expiration days. So today, when the previous password was set to expire. My account was locked
out. I had to log onto the AD/DC as the Domain Administrator and do 'samba-tool user setpassword'.

Suggestions on how I can get the expiration back to the 'Maximum password age' value?