[Samba] rpcclient & smbpasswd user PASSWORD_MUST_CHANGE

Jeremy Brousseau jeremy.brousseau at outlook.com
Wed Jul 22 13:31:02 UTC 2020 

Hello,

First of all I would like to apologize if my mail is not clear, this is my first time doing this kind of things !

I'm currently working within a small AD environment within a single forest-domain which is the following :
   - DC Windows 2016
   - Archlinux with samba version 4.12.3

I currently have a standard domain user named 'test' which has the attribute PASSWORD_MUST_CHANGE set and my goal is to change this password.  During my test is used the following client
- rpcclient 4.12.3
-smbpasswd

When trying to change the password of the user 'test' with smbpasswd i have  no issue and this is behaving like expected (smbpasswd -r 10.10.10.2 -U "CORP.LOCAL\TEST" )
Commands:
  smbpasswd -r 10.10.10.193 -U "CORP.LOCAL\test"
  Old SMB password:
  New SMB password:
  Retype new SMB password:
  Password changed for user test

My main problem is that when trying to do the same with rpcclient using the 'chgpasswd2' with an anonymous logon I simply got an ACCESS_DENIED. I decided to ran wirehsark to see what happen under the hood for both clients. The main diff>

Commands :
  rpcclient -U "" 10.10.10.2
  Enter WORKGROUP\'s password:
  rpcclient $> chgpasswd2 test Password01! Password02!
  result was NT_STATUS_ACCESS_DENIED

Also when using rpcclient client with another account which is a  domain user (i.e : Test2) and calling 'chgpasswd2' on the user 'Test' this is working fine ! (Indeed the Connect5 worked and thus 'ChangePasswordUser2 get called)

Commands:
  rpcclient -U "CORP.LOCAL\TEST2" 10.10.10.2
  Enter CORP.LOCAL\TEST2's password:
  rpcclient $> chgpasswd2 test Password01! Password02!
  rpcclient $>

I tried to dig into the code on github on the cli_samr.c / passchange.c / smbpasswd.c and in the end they are all using the same function (rpccli_samr_chgpasswd_user2) and i could not spot the difference between the call made by rpcclie>

So here are my two main questions :
-Why is rpcclient issuing a 'Connect5/4/2' before calling the 'ChangePasswordUser2' method whereas 'smbpasswd' does not ?
-Is this a normal behavior ? Why do rpcclient do not simply use the 'SamrUnicodeChangePasswordUser2'  with the already establish anonymous logon as stated in the Microsoft documentation ?
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/41d7ca60-909f-4d0d-b85a-c9a35b5f2aaa

Thank you very much in advance for taking the time to read this e-mail, and sorry if this questions has already been answered somewhere else but i just could not find any answer with my google fu !

Best Regards,
Jerem

More information about the samba mailing list