Web lists-archives.com

Re: [Samba] Difficulties retrieving randomly assigned password for newly created Samba user acounts




Okay, thanks everyone. After I posted I eventually found an answer to my question. Basically, I was doing things wrong here, and the --random-password switch to samba-tool  not intended to be used with user accounts at all - it's actually intended to be used with system accounts only. By design it seems it doesn't report back on the random password that is set.

Previously from Rowland in 2015:

"The whole idea of --random-password is to create a random password for
users that *don't* really need a password i.e. system services

If you want random passwords for users, then either use one of the many
password generators you can find on the internet, or write your own script."

Thanks
Stephen Ellwood


On 29/04/2019 10:34, L.P.H. van Belle via samba wrote:
What the password is, is in the output on you screen, if not, then script it.

kinit Administrator

# function random password.
RANDOMPASSWD(){ < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo; }

# Pull a random into USERPASS
USERPASS="$(RANDOMPASSWD)"

# And create your user.
sudo samba-tool user create "$USERNAME" --given-name="$GIVENNAME" --surname="$SURNAME" \
  --mail-address="$EMAIL" --company="$COMPANY" --password="$USERPASS" --must-change-at-next-login \
  --nis-domain="$WIN_DOMAIN" --unix-home="$UNIXHOMEFOLDERPATH" \
  --home-drive="H" --home-directory="$WINDOWSHOMEFOLDERPATH" \
  --login-shell="/usr/bin/git-shell" --uid-number="$UIDNUMBER" \
   --gid-number=10000 -k

Echo "$USERNAME:${USERPASS}" >> new-users.txt

Something like that.

Greetz,

Louis


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Stephen via samba
Verzonden: maandag 29 april 2019 11:11
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] Difficulties retrieving randomly assigned
password for newly created Samba user acounts

Hi everyone, I am using Samba 4.5.16-Debian on Raspbian and thanks to
the help offered by everyone here I now finally have a mostly-working
Active Directory network.
I am now at the stage of creating inidividual user accounts for my
domain and unfortunately I have a very basic but fundamental
problem! I
currently enter the following input at the command-line to
create a new
user on my DC:

pi@ad1:~ $ sudo samba-tool user create "$USERNAME"
--given-name="$GIVENNAME" --surname="$SURNAME"
--mail-address="$EMAIL"
--company="$COMPANY" --random-password --must-change-at-next-login
--nis-domain="$WIN_DOMAIN" --unix-home="$UNIXHOMEFOLDERPATH"
--home-drive="H" --home-directory="$WINDOWSHOMEFOLDERPATH"
--login-shell="/usr/bin/git-shell" --uid-number="$UIDNUMBER"
--gid-number=10000 -U "administrator%$SAMBA_ADMIN_PASSWORD"
User 'stephenellwood' created successfully

After entering this, you see I get a confirmation prompt
indicating my
user was created. When I hop onto my domain fileserver, I can see the
new user, and this gives me additional confidence this has
actually been
created:

pi@fs1:~ $ wbinfo -u
stephenellwood
administrator
krbtgt
guest

In the switches passed to samba-tool previously you will see
that I have
requested a both a *random password* and that *this must be
changed at
the next login*. Crucially though, how do I find out what
stephenellwood's randomly assigned password actually is so I
can login
to this account for the first time?  Without this I am stuck
- I have a
new user account with an unknown randomised password and thus
cannot login.

Ultimately since I couldn't retrieve the random password for
stephenellwood I then attempted to reset stephenellwood's password
manually myself to a known string value using samba-tool.
Unfortunately
this also didn't seem to work:

sudo samba-tool user password --newpassword="$NEWPASSWORD" -U
"Administrator"
Password for [OSSL\Administrator]:
ERROR: Failed to change password : (-1073741716,
"samr_ChangePasswordUser3 for 'OSSL\\Administrator' failed:
NT_STATUS_PASSWORD_RESTRICTION")

I would really appreciate any help and advice anybody can offer
regarding this matter as I am now stuck at this point :)

Thanks
Stephen Ellwood


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba