Re: [Samba] remote password change, if password is expired
- Date: Wed, 28 Mar 2018 06:17:08 +1300
- From: Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] remote password change, if password is expired
On Tue, 2018-03-27 at 15:44 +0200, Marco Gaiarin via samba wrote:
> Mandi! Waishon via samba
> In chel di` si favelave...
> > if you like to write something on your own using PHP you can use this library:
> > https://github.com/ldaptools/ldaptools
> > Then ask the users on the webpage for their username and password and bind with it to the LDAP.
> > Then you've to send an delete request of the unicodePwd field with the old password and then an add request with the new password. Both requests have to be in one query otherwise samba is denying the change.
> Good hint! Thanks!
> But i think that in this way password policy and 'check password
> script' are not honoured, eg you modify directly the LDAP data without
> password quality checks.
The password policy checks are, in active directory, applied even on
LDAP password changes.
To change an expired password the bind needs to be as a service user
and the password change needs to then reference the expired user (which
is the part we got subtly wrong in the security issue earlier this
> For this reason i prefere to use ''standard'' tools, eg PAM/winbind.
pam_winbind should do it. It uses the SAMR password change but binds
to SAMR as the machine account, so should be able to change an expired
I hope this helps,
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the