[Samba] How to change Domain password as normal user?

Mark Foley mfoley at ohprs.org
Sat Mar 31 00:19:02 UTC 2018

> On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett <abartlet at samba.org> wrote:
> >
> > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote:
> > > 
> > > Actually, that didn't quite work. It did change the domain password, but didn't reset the
> > > expiration days. So today, when the previous password was set to expire. My account was locked
> > > out. I had to log onto the AD/DC as the Domain Administrator and do 'samba-tool user setpassword'.
> > > 
> > > Suggestions on how I can get the expiration back to the 'Maximum password age' value?
> >
> > This sounds very strange.  Are you sure the password changed on the DC?
> >  Did the msDS-KeyVersionNumber change, did the pwdLastSet change?
> Yes, I know it changed on the DC because I was able to use the new password to log into another
> Windows workstation, and I use the domain credential to log into an internal web application. 
> All these worked with the new PW.  Later, I checked the Linux workstation's /etc/passwd to make
> sure there was no entry for my user (there wasn't).  It does seem strange. 
> Unfortunately, I did not check either msDS-KeyVersionNumber or pwdLastSet or even ldbsearch to
> get msDS-UserPasswordExpiryTimeComputed before I reset the user pw from the domain
> administrator. Next time!
> In this thread I've been given 3 more ideas on how to do this:
> samba-tool -U <myuser> user password
> smbpasswd
> kpasswd
> I'll try each and see which works best for me.

I'm having some issues with this problem.

samba-tool -U <myuser> user password

gives me the error:

samba-tool: error: no such option: -U

Perhaps my version is too old (4.4.16)?

I did successfully change my domain password with kpasswd.  I was able to log into Linux and
Windows workstations, Dovecot client, and a web site which uses ntml_auth.  I checked the
msDS-UserPasswordExpiryTimeComputed and it was 89 days (the domain setting is max 90 days).  I
checked the next day (yesterday) and it was still 89 days.  I went to log into the Windows
workstation and Linux workstation today and was locked out! This is exactly the same thing that
happened when I used passwd (see above). 

Any idea why?

I'd like to try using smbpasswd next, but before I do I'd like to see the current
msDS-UserPasswordExpiryTimeComputed. Of course, I cannot do this as my user because I can't log
in. Is there a way to see this value as the domain administrator? I've tried:

/usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s sub
"(&(sAMAccountType=805306368)(sAMAccountName=myuser))" msDS-UserPasswordExpiryTimeComputed

but that is asking for myuser's password, even as Dom Admin.

How can I view the user's password expiration settings?


More information about the samba mailing list