Web lists-archives.com

Re: [Samba] How to change Domain password as normal user?




On Sat, 31 Mar 2018 17:04:22 +0100 Rowland Penny <rpenny@xxxxxxxxx> wrote:
>
> On Sat, 31 Mar 2018 11:42:07 -0400
> Mark Foley via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny <rpenny@xxxxxxxxx>
> > wrote:
> > >
> > > This will then prompt the user for their 'oldpassword' and then the
> > > new password (twice). There is a gotcha though, as given it will
> > > only work on a DC, to do the password change from a Unix domain
> > > member, you need to add '--ipaddress=DCIPADDRESS'
> > 
> > I'll try that after I've figured out what the user's expiration
> > status is. With respect to this command, would the full syntax be:
> > 
> > samba-tool user password -U <myuser> --ipaddress=192.168.0.2
> > 
> > I've tried that with no syntax error, but haven't pulled the trigger
> > yet to change the password. I've also tried --ipaddress=dchostname
> > which also did not give a syntax error.
>
> Never tried it with the hostname, but I think the option name gives a
> big hint ;-)
>
> > > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> > > ldbsearch below ? If so, is the result actually '89' are you using
> > > some calculation to get '89' ? I ask this because I would expect the
> > > attribute to contain something like '9223372036854775807'
> > 
> > Yes, the same ldbsearch.  In fact, that and the calculation were
> > given to me by you a couple of years ago.  The rest of the
> > calculation is:
> > 
>
> OK
>
> > >
> > > If you are trying to find out if the users password has expired or
> > > is near to, you can use rpcclient for this.
>
> > 
> > I did the following:
> > 
> > # rpcclient -U "" -N 192.168.0.2    
> > rpcclient $> enumdomusers
> > :
> > user:[mark] rid:[0x457]
> > :
> > rpcclient $> queryuser 0x457
> >         User Name   :   mark
> >         Full Name   :   Mark Foley
> > (empty lines removed)
> >         Logon Time               :      Thu, 29 Mar 2018 17:12:54 EDT
> >         Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
> >         Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
> >         Password last set Time   :      Wed, 28 Mar 2018 23:59:08 EDT
> >         Password can change Time :      Wed, 28 Mar 2018 23:59:08 EDT
> >         Password must change Time:      Wed, 27 Jun 2018 00:00:11 EDT
>
> > Not sure I see where the expiration is except that Kickoff Time is
> > set to Dec 31st, 1969 which is likely a zero in that field. Is that
> > the problem?
>
> When the users password expires it must be changed (hint, hint) ;-)
> Or an even bigger hint, the user needs to change their password before
> the 27th of June
>  
> > 
> > Why would passwd and kpasswd not reset that?
>
> I have no real idea, but it might have something to do with neither of
> having anything to do with AD.
>

I think you're right that although passwd and kpasswd do change the domain password for the
user, "neither of them have anything to do with AD" and hence apparently do not reset the
exipriation day. So, I've now tried:

samba-tool user password -U $USER --ipaddress=192.168.0.2

and that works and does reset the expiration count so that my rpcclient query returns 90 days.
I can also use the AD/DC host name instead of the IP address.

I'm using this as a $HOME/.kde/Autostart script to check the password expiration days-to-go
with the KDE desktop. If less than 8 days to go, it puts up a GUI dialog inviting the user to
change the password. This mimics the functionality of Windows. Without something like this, the
user does not know his password is about to expire and he finds himself locked out.

If anyone is interested in seeing the whole Autostart script. Send me an email.

We'll see in June if this version works!

Thanks --Mark

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba