Web lists-archives.com

Re: [Samba] How to change Domain password as normal user?




On Tue, 2018-03-27 at 13:38 -0400, Mark Foley via samba wrote:
> On Mon, 26 Mar 2018 08:08:53 +0200 Michael Wandel <m.wandel@xxxxxxxxxxx> wrote:
> > 
> > Am 26.03.2018 um 06:31 schrieb Mark Foley via samba:
> > > As a normal user, I want to change my Domain Password. I've tried:
> > > 
> > > $ samba-tool user setpassword myuserId --newpassword='mynewpassword'
> > > 
> > > but get the error:
> > > 
> > > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file
> > > /var/lib/samba/private/sam.ldb: Permission denied
> > > 
> > > Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied
> > > Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open
> > > tdb '/var/lib/samba/private/sam.ldb': Permission denied
> > > ERROR(ldb): uncaught exception - Unable to open tdb '/var/lib/samba/private/sam.ldb':
> > > Permission denied
> > >   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
> > >     return self.run(*args, **kwargs)
> > >   File "/usr/lib64/python2.7/site-packages/samba/netcmd/user.py", line 602, in run
> > >     credentials=creds, lp=lp)
> > >   File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in __init__
> > >     options=options)
> > >   File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 115, in __init__
> > >     self.connect(url, flags, options)
> > >   File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in connect
> > >     options=options)
> > > 
> > > How do I do this?
> > > 
> > 
> > I don't think it's a good idea to change your password direct on the DC
> > with a normal user login. You don't have rights to the "holy" sam.ldb.
> > 
> > I'll refer the way to change the password from a joined linuxclient, by
> > example via pam with the normal passwd program or kpasswd (if you have
> > kerberos clients progs installed) or from a joined windows client.
> > 
> 
> I'm trying this from a domain member, and from a yad script that run upon login and checks the
> expiration of the password.  It was a script given to me by Roland, but proably he expected the
> change to be done from root. 
> 
> I can change the pw using the normal 'passwd', and that does change the domain crentials, but
> as this is done in a script, I need something that will work with stdin.  I've triled chpasswd,
> but that is only permitted by root.  The following did work for me in the yad script:
> 
> passwd <<EOF
> $oldpw
> $newpw
> $newpw
> EOF

Also see the other thread, but tools like smbpasswd are for this, as is
 'samba-tool user password'.  Both do a remote password change, which
is what you want.  The mentions of kpasswd above are also correct.

There are many ways to skin this cat :-)

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba