[Samba] How to change Domain password as normal user?
mfoley at ohprs.org
Sat Mar 31 15:42:07 UTC 2018
On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny <rpenny at samba.org> wrote:
> On Fri, 30 Mar 2018 20:19:02 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
> > > On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett
> > > <abartlet at samba.org> wrote:
> > > >
> > > > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote:
> > > > >
> > > > > Actually, that didn't quite work. It did change the domain
> > > > > password, but didn't reset the expiration days. So today, when
> > > > > the previous password was set to expire. My account was locked
> > > > > out. I had to log onto the AD/DC as the Domain Administrator
> > > > > and do 'samba-tool user setpassword'.
> > > In this thread I've been given 3 more ideas on how to do this:
> > >
> > > samba-tool -U <myuser> user password
> > > smbpasswd
> > > kpasswd
> > >
> > > I'll try each and see which works best for me.
> > >
> > I'm having some issues with this problem.
> > samba-tool -U <myuser> user password
> > gives me the error:
> > samba-tool: error: no such option: -U
> No, the syntax is wrong, it should be:
> samba-tool user password -U <myuser>
> This will then prompt the user for their 'oldpassword' and then the new
> password (twice). There is a gotcha though, as given it will only work
> on a DC, to do the password change from a Unix domain member, you need
> to add '--ipaddress=DCIPADDRESS'
I'll try that after I've figured out what the user's expiration status is. With respect to this
command, would the full syntax be:
samba-tool user password -U <myuser> --ipaddress=192.168.0.2
I've tried that with no syntax error, but haven't pulled the trigger yet to change the
password. I've also tried --ipaddress=dchostname which also did not give a syntax error.
> > I did successfully change my domain password with kpasswd. I was
> > able to log into Linux and Windows workstations, Dovecot client, and
> > a web site which uses ntml_auth. I checked the
> > msDS-UserPasswordExpiryTimeComputed and it was 89 days (the domain
> > setting is max 90 days). I checked the next day (yesterday) and it
> > was still 89 days. I went to log into the Windows workstation and
> > Linux workstation today and was locked out! This is exactly the same
> > thing that happened when I used passwd (see above).
> > Any idea why?
> Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> ldbsearch below ? If so, is the result actually '89' are you using some
> calculation to get '89' ? I ask this because I would expect the
> attribute to contain something like '9223372036854775807'
Yes, the same ldbsearch. In fact, that and the calculation were given to me by you a couple of
years ago. The rest of the calculation is:
where $expireTime is the value returned by ldbsearch grep'ped for msDS-UserPasswordExpiryTimeComputed.
> > I'd like to try using smbpasswd next, but before I do I'd like to see
> > the current msDS-UserPasswordExpiryTimeComputed. Of course, I cannot
> > do this as my user because I can't log in. Is there a way to see this
> > value as the domain administrator? I've tried:
> > /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s
> > sub "(&(sAMAccountType=805306368)(sAMAccountName=myuser))"
> > msDS-UserPasswordExpiryTimeComputed
> > but that is asking for myuser's password, even as Dom Admin.
> > How can I view the user's password expiration settings?
> If you are trying to find out if the users password has expired or is
> near to, you can use rpcclient for this.
I did the following:
# rpcclient -U "" -N 192.168.0.2
rpcclient $> enumdomusers
rpcclient $> queryuser 0x457
User Name : mark
Full Name : Mark Foley
(empty lines removed)
Logon Time : Thu, 29 Mar 2018 17:12:54 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT
Password can change Time : Wed, 28 Mar 2018 23:59:08 EDT
Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT
user_rid : 0x457
acb_info : 0x00000010
Not sure I see where the expiration is except that Kickoff Time is set to Dec 31st, 1969 which
is likely a zero in that field. Is that the problem?
Why would passwd and kpasswd not reset that?
More information about the samba