[Samba] How to change Domain password as normal user?

Rowland Penny rpenny at samba.org
Sat Mar 31 11:25:14 UTC 2018


On Fri, 30 Mar 2018 20:19:02 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> > On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett
> > <abartlet at samba.org> wrote:
> > >
> > > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote:
> > > > 
> > > > Actually, that didn't quite work. It did change the domain
> > > > password, but didn't reset the expiration days. So today, when
> > > > the previous password was set to expire. My account was locked
> > > > out. I had to log onto the AD/DC as the Domain Administrator
> > > > and do 'samba-tool user setpassword'.
> > > > 
> > > > Suggestions on how I can get the expiration back to the
> > > > 'Maximum password age' value?
> > >
> > > This sounds very strange.  Are you sure the password changed on
> > > the DC? Did the msDS-KeyVersionNumber change, did the pwdLastSet
> > > change?
> >
> > Yes, I know it changed on the DC because I was able to use the new
> > password to log into another Windows workstation, and I use the
> > domain credential to log into an internal web application. All
> > these worked with the new PW.  Later, I checked the Linux
> > workstation's /etc/passwd to make sure there was no entry for my
> > user (there wasn't).  It does seem strange. 
> >
> > Unfortunately, I did not check either msDS-KeyVersionNumber or
> > pwdLastSet or even ldbsearch to get
> > msDS-UserPasswordExpiryTimeComputed before I reset the user pw from
> > the domain administrator. Next time!
> >
> > In this thread I've been given 3 more ideas on how to do this:
> >
> > samba-tool -U <myuser> user password
> >
> > smbpasswd
> >
> > kpasswd
> >
> > I'll try each and see which works best for me.
> >
> 
> I'm having some issues with this problem.
> 
> samba-tool -U <myuser> user password
> 
> gives me the error:
> 
> samba-tool: error: no such option: -U
> 
> Perhaps my version is too old (4.4.16)?

No, the syntax is wrong, it should be:

samba-tool user password -U <myuser>

This will then prompt the user for their 'oldpassword' and then the new
password (twice). There is a gotcha though, as given it will only work
on a DC, to do the password change from a Unix domain member, you need
to add '--ipaddress=DCIPADDRESS'

> 
> I did successfully change my domain password with kpasswd.  I was
> able to log into Linux and Windows workstations, Dovecot client, and
> a web site which uses ntml_auth.  I checked the
> msDS-UserPasswordExpiryTimeComputed and it was 89 days (the domain
> setting is max 90 days).  I checked the next day (yesterday) and it
> was still 89 days.  I went to log into the Windows workstation and
> Linux workstation today and was locked out! This is exactly the same
> thing that happened when I used passwd (see above). 
> 
> Any idea why?

Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
ldbsearch below ? If so, is the result actually '89' are you using some
calculation to get '89' ? I ask this because I would expect the
attribute to contain something like '9223372036854775807'

> 
> I'd like to try using smbpasswd next, but before I do I'd like to see
> the current msDS-UserPasswordExpiryTimeComputed. Of course, I cannot
> do this as my user because I can't log in. Is there a way to see this
> value as the domain administrator? I've tried:
> 
> /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s
> sub "(&(sAMAccountType=805306368)(sAMAccountName=myuser))"
> msDS-UserPasswordExpiryTimeComputed
> 
> but that is asking for myuser's password, even as Dom Admin.
> 
> How can I view the user's password expiration settings?

If you are trying to find out if the users password has expired or is
near to, you can use rpcclient for this.

Rowland
 




More information about the samba mailing list