Web lists-archives.com

Re: [Samba] How to change Domain password as normal user?




On Fri, 30 Mar 2018 20:19:02 -0400
Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:

> > On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett
> > <abartlet@xxxxxxxxx> wrote:
> > >
> > > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote:
> > > > 
> > > > Actually, that didn't quite work. It did change the domain
> > > > password, but didn't reset the expiration days. So today, when
> > > > the previous password was set to expire. My account was locked
> > > > out. I had to log onto the AD/DC as the Domain Administrator
> > > > and do 'samba-tool user setpassword'.
> > > > 
> > > > Suggestions on how I can get the expiration back to the
> > > > 'Maximum password age' value?
> > >
> > > This sounds very strange.  Are you sure the password changed on
> > > the DC? Did the msDS-KeyVersionNumber change, did the pwdLastSet
> > > change?
> >
> > Yes, I know it changed on the DC because I was able to use the new
> > password to log into another Windows workstation, and I use the
> > domain credential to log into an internal web application. All
> > these worked with the new PW.  Later, I checked the Linux
> > workstation's /etc/passwd to make sure there was no entry for my
> > user (there wasn't).  It does seem strange. 
> >
> > Unfortunately, I did not check either msDS-KeyVersionNumber or
> > pwdLastSet or even ldbsearch to get
> > msDS-UserPasswordExpiryTimeComputed before I reset the user pw from
> > the domain administrator. Next time!
> >
> > In this thread I've been given 3 more ideas on how to do this:
> >
> > samba-tool -U <myuser> user password
> >
> > smbpasswd
> >
> > kpasswd
> >
> > I'll try each and see which works best for me.
> >
> 
> I'm having some issues with this problem.
> 
> samba-tool -U <myuser> user password
> 
> gives me the error:
> 
> samba-tool: error: no such option: -U
> 
> Perhaps my version is too old (4.4.16)?

No, the syntax is wrong, it should be:

samba-tool user password -U <myuser>

This will then prompt the user for their 'oldpassword' and then the new
password (twice). There is a gotcha though, as given it will only work
on a DC, to do the password change from a Unix domain member, you need
to add '--ipaddress=DCIPADDRESS'

> 
> I did successfully change my domain password with kpasswd.  I was
> able to log into Linux and Windows workstations, Dovecot client, and
> a web site which uses ntml_auth.  I checked the
> msDS-UserPasswordExpiryTimeComputed and it was 89 days (the domain
> setting is max 90 days).  I checked the next day (yesterday) and it
> was still 89 days.  I went to log into the Windows workstation and
> Linux workstation today and was locked out! This is exactly the same
> thing that happened when I used passwd (see above). 
> 
> Any idea why?

Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
ldbsearch below ? If so, is the result actually '89' are you using some
calculation to get '89' ? I ask this because I would expect the
attribute to contain something like '9223372036854775807'

> 
> I'd like to try using smbpasswd next, but before I do I'd like to see
> the current msDS-UserPasswordExpiryTimeComputed. Of course, I cannot
> do this as my user because I can't log in. Is there a way to see this
> value as the domain administrator? I've tried:
> 
> /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes -s
> sub "(&(sAMAccountType=805306368)(sAMAccountName=myuser))"
> msDS-UserPasswordExpiryTimeComputed
> 
> but that is asking for myuser's password, even as Dom Admin.
> 
> How can I view the user's password expiration settings?

If you are trying to find out if the users password has expired or is
near to, you can use rpcclient for this.

Rowland
 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba