[Samba] How to change Domain password as normal user?
rpenny at samba.org
Sat Mar 31 16:04:22 UTC 2018
On Sat, 31 Mar 2018 11:42:07 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny <rpenny at samba.org>
> > This will then prompt the user for their 'oldpassword' and then the
> > new password (twice). There is a gotcha though, as given it will
> > only work on a DC, to do the password change from a Unix domain
> > member, you need to add '--ipaddress=DCIPADDRESS'
> I'll try that after I've figured out what the user's expiration
> status is. With respect to this command, would the full syntax be:
> samba-tool user password -U <myuser> --ipaddress=192.168.0.2
> I've tried that with no syntax error, but haven't pulled the trigger
> yet to change the password. I've also tried --ipaddress=dchostname
> which also did not give a syntax error.
Never tried it with the hostname, but I think the option name gives a
big hint ;-)
> > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> > ldbsearch below ? If so, is the result actually '89' are you using
> > some calculation to get '89' ? I ask this because I would expect the
> > attribute to contain something like '9223372036854775807'
> Yes, the same ldbsearch. In fact, that and the calculation were
> given to me by you a couple of years ago. The rest of the
> calculation is:
> > If you are trying to find out if the users password has expired or
> > is near to, you can use rpcclient for this.
> I did the following:
> # rpcclient -U "" -N 192.168.0.2
> rpcclient $> enumdomusers
> user:[mark] rid:[0x457]
> rpcclient $> queryuser 0x457
> User Name : mark
> Full Name : Mark Foley
> (empty lines removed)
> Logon Time : Thu, 29 Mar 2018 17:12:54 EDT
> Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
> Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
> Password last set Time : Wed, 28 Mar 2018 23:59:08 EDT
> Password can change Time : Wed, 28 Mar 2018 23:59:08 EDT
> Password must change Time: Wed, 27 Jun 2018 00:00:11 EDT
> Not sure I see where the expiration is except that Kickoff Time is
> set to Dec 31st, 1969 which is likely a zero in that field. Is that
> the problem?
When the users password expires it must be changed (hint, hint) ;-)
Or an even bigger hint, the user needs to change their password before
the 27th of June
> Why would passwd and kpasswd not reset that?
I have no real idea, but it might have something to do with neither of
having anything to do with AD.
More information about the samba