[Samba] How to change Domain password as normal user?

Mark Foley mfoley at ohprs.org
Sat Mar 31 15:42:07 UTC 2018 

On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny <rpenny at samba.org> wrote:
>
> On Fri, 30 Mar 2018 20:19:02 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > > On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett
> > > <abartlet at samba.org> wrote:
> > > >
> > > > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote:
> > > > > 
> > > > > Actually, that didn't quite work. It did change the domain
> > > > > password, but didn't reset the expiration days. So today, when
> > > > > the previous password was set to expire. My account was locked
> > > > > out. I had to log onto the AD/DC as the Domain Administrator
> > > > > and do 'samba-tool user setpassword'.
[deleted]
> > > In this thread I've been given 3 more ideas on how to do this:
> > >
> > > samba-tool -U <myuser> user password
> > > smbpasswd
> > > kpasswd
> > >
> > > I'll try each and see which works best for me.
> > >

> > 
> > I'm having some issues with this problem.
> > 
> > samba-tool -U <myuser> user password
> > 
> > gives me the error:
> > 
> > samba-tool: error: no such option: -U
>
> No, the syntax is wrong, it should be:
>
> samba-tool user password -U <myuser>
>
> This will then prompt the user for their 'oldpassword' and then the new
> password (twice). There is a gotcha though, as given it will only work
> on a DC, to do the password change from a Unix domain member, you need
> to add '--ipaddress=DCIPADDRESS'

I'll try that after I've figured out what the user's expiration status is. With respect to this
command, would the full syntax be:

samba-tool user password -U <myuser> --ipaddress=192.168.0.2

I've tried that with no syntax error, but haven't pulled the trigger yet to change the
password. I've also tried --ipaddress=dchostname which also did not give a syntax error.

> > I did successfully change my domain password with kpasswd.  I was
> > able to log into Linux and Windows workstations, Dovecot client, and
> > a web site which uses ntml_auth.  I checked the
> > msDS-UserPasswordExpiryTimeComputed and it was 89 days (the domain
> > setting is max 90 days).  I checked the next day (yesterday) and it
> > was still 89 days.  I went to log into the Windows workstation and
> > Linux workstation today and was locked out! This is exactly the same
> > thing that happened when I used passwd (see above). 
> > 
> > Any idea why?
>
> Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> ldbsearch below ? If so, is the result actually '89' are you using some
> calculation to get '89' ? I ask this because I would expect the
> attribute to contain something like '9223372036854775807'

Yes, the same ldbsearch.  In fact, that and the calculation were given to me by you a couple of
years ago.  The rest of the calculation is:

expireDate=$((($expireTime/10000000)-11644473600))
today=`date +%s`
togo=$((($expireDate-$today)/86400))

where $expireTime is the value returned by ldbsearch grep'ped for msDS-UserPasswordExpiryTimeComputed.

> > I'd like to try using smbpasswd next, but before I do I'd like to see
> > the current msDS-UserPasswordExpiryTimeComputed. Of course, I cannot
> > do this as my user because I can't log in. Is there a way to see this
> > value as the domain administrator? I've tried:
> > 
> > /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s
> > sub "(&(sAMAccountType=805306368)(sAMAccountName=myuser))"
> > msDS-UserPasswordExpiryTimeComputed
> > 
> > but that is asking for myuser's password, even as Dom Admin.
> > 
> > How can I view the user's password expiration settings?
>
> If you are trying to find out if the users password has expired or is
> near to, you can use rpcclient for this.
>
> Rowland

I did the following:

# rpcclient -U "" -N 192.168.0.2    
rpcclient $> enumdomusers
:
user:[mark] rid:[0x457]
:
rpcclient $> queryuser 0x457
        User Name   :   mark
        Full Name   :   Mark Foley
(empty lines removed)
        Logon Time               :      Thu, 29 Mar 2018 17:12:54 EDT
        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
        Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
        Password last set Time   :      Wed, 28 Mar 2018 23:59:08 EDT
        Password can change Time :      Wed, 28 Mar 2018 23:59:08 EDT
        Password must change Time:      Wed, 27 Jun 2018 00:00:11 EDT
        unknown_2[0..31]...
        user_rid :      0x457
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x08ffffff
        logon_divs:     168
        bad_password_count:     0x00000001
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...

Not sure I see where the expiration is except that Kickoff Time is set to Dec 31st, 1969 which
is likely a zero in that field. Is that the problem?

Why would passwd and kpasswd not reset that?

--Mark

More information about the samba mailing list