[Samba] How to change Domain password as normal user?

Rowland Penny rpenny at samba.org
Sat Mar 31 16:04:22 UTC 2018 

On Sat, 31 Mar 2018 11:42:07 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny <rpenny at samba.org>
> wrote:
> >
> > This will then prompt the user for their 'oldpassword' and then the
> > new password (twice). There is a gotcha though, as given it will
> > only work on a DC, to do the password change from a Unix domain
> > member, you need to add '--ipaddress=DCIPADDRESS'
> 
> I'll try that after I've figured out what the user's expiration
> status is. With respect to this command, would the full syntax be:
> 
> samba-tool user password -U <myuser> --ipaddress=192.168.0.2
> 
> I've tried that with no syntax error, but haven't pulled the trigger
> yet to change the password. I've also tried --ipaddress=dchostname
> which also did not give a syntax error.

Never tried it with the hostname, but I think the option name gives a
big hint ;-)

> > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> > ldbsearch below ? If so, is the result actually '89' are you using
> > some calculation to get '89' ? I ask this because I would expect the
> > attribute to contain something like '9223372036854775807'
> 
> Yes, the same ldbsearch.  In fact, that and the calculation were
> given to me by you a couple of years ago.  The rest of the
> calculation is:
> 

OK

> >
> > If you are trying to find out if the users password has expired or
> > is near to, you can use rpcclient for this.

> 
> I did the following:
> 
> # rpcclient -U "" -N 192.168.0.2    
> rpcclient $> enumdomusers
> :
> user:[mark] rid:[0x457]
> :
> rpcclient $> queryuser 0x457
>         User Name   :   mark
>         Full Name   :   Mark Foley
> (empty lines removed)
>         Logon Time               :      Thu, 29 Mar 2018 17:12:54 EDT
>         Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
>         Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
>         Password last set Time   :      Wed, 28 Mar 2018 23:59:08 EDT
>         Password can change Time :      Wed, 28 Mar 2018 23:59:08 EDT
>         Password must change Time:      Wed, 27 Jun 2018 00:00:11 EDT

> Not sure I see where the expiration is except that Kickoff Time is
> set to Dec 31st, 1969 which is likely a zero in that field. Is that
> the problem?

When the users password expires it must be changed (hint, hint) ;-)
Or an even bigger hint, the user needs to change their password before
the 27th of June
 
> 
> Why would passwd and kpasswd not reset that?

I have no real idea, but it might have something to do with neither of
having anything to do with AD.

Rowland

More information about the samba mailing list