samba - Mar 2018 - How to change Domain password as normal user?

On Fri, 30 Mar 2018 20:19:02 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> > On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett
> > <abartlet at samba.org> wrote:
> > >
> > > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote:
> > > > 
> > > > Actually, that didn't quite work. It did change the
domain
> > > > password, but didn't reset the expiration days. So
today, when
> > > > the previous password was set to expire. My account was
locked
> > > > out. I had to log onto the AD/DC as the Domain Administrator
> > > > and do 'samba-tool user setpassword'.
> > > > 
> > > > Suggestions on how I can get the expiration back to the
> > > > 'Maximum password age' value?
> > >
> > > This sounds very strange.  Are you sure the password changed on
> > > the DC? Did the msDS-KeyVersionNumber change, did the pwdLastSet
> > > change?
> >
> > Yes, I know it changed on the DC because I was able to use the new
> > password to log into another Windows workstation, and I use the
> > domain credential to log into an internal web application. All
> > these worked with the new PW.  Later, I checked the Linux
> > workstation's /etc/passwd to make sure there was no entry for my
> > user (there wasn't).  It does seem strange. 
> >
> > Unfortunately, I did not check either msDS-KeyVersionNumber or
> > pwdLastSet or even ldbsearch to get
> > msDS-UserPasswordExpiryTimeComputed before I reset the user pw from
> > the domain administrator. Next time!
> >
> > In this thread I've been given 3 more ideas on how to do this:
> >
> > samba-tool -U <myuser> user password
> >
> > smbpasswd
> >
> > kpasswd
> >
> > I'll try each and see which works best for me.
> >
> 
> I'm having some issues with this problem.
> 
> samba-tool -U <myuser> user password
> 
> gives me the error:
> 
> samba-tool: error: no such option: -U
> 
> Perhaps my version is too old (4.4.16)?
No, the syntax is wrong, it should be:

samba-tool user password -U <myuser>

This will then prompt the user for their 'oldpassword' and then the new
password (twice). There is a gotcha though, as given it will only work
on a DC, to do the password change from a Unix domain member, you need
to add '--ipaddress=DCIPADDRESS'
> 
> I did successfully change my domain password with kpasswd.  I was
> able to log into Linux and Windows workstations, Dovecot client, and
> a web site which uses ntml_auth.  I checked the
> msDS-UserPasswordExpiryTimeComputed and it was 89 days (the domain
> setting is max 90 days).  I checked the next day (yesterday) and it
> was still 89 days.  I went to log into the Windows workstation and
> Linux workstation today and was locked out! This is exactly the same
> thing that happened when I used passwd (see above). 
> 
> Any idea why?
Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
ldbsearch below ? If so, is the result actually '89' are you using some
calculation to get '89' ? I ask this because I would expect the
attribute to contain something like '9223372036854775807'
> 
> I'd like to try using smbpasswd next, but before I do I'd like to
see
> the current msDS-UserPasswordExpiryTimeComputed. Of course, I cannot
> do this as my user because I can't log in. Is there a way to see this
> value as the domain administrator? I've tried:
> 
> /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local" -k yes
-s
> sub "(&(sAMAccountType=805306368)(sAMAccountName=myuser))"
> msDS-UserPasswordExpiryTimeComputed
> 
> but that is asking for myuser's password, even as Dom Admin.
> 
> How can I view the user's password expiration settings?
If you are trying to find out if the users password has expired or is
near to, you can use rpcclient for this.

Rowland

On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny <rpenny at samba.org>
wrote:
>
> On Fri, 30 Mar 2018 20:19:02 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > > On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett
> > > <abartlet at samba.org> wrote:
> > > >
> > > > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba
wrote:
> > > > > 
> > > > > Actually, that didn't quite work. It did change the
domain
> > > > > password, but didn't reset the expiration days. So
today, when
> > > > > the previous password was set to expire. My account was
locked
> > > > > out. I had to log onto the AD/DC as the Domain
Administrator
> > > > > and do 'samba-tool user setpassword'.
[deleted]
> > > In this thread I've been given 3 more ideas on how to do
this:
> > >
> > > samba-tool -U <myuser> user password
> > > smbpasswd
> > > kpasswd
> > >
> > > I'll try each and see which works best for me.
> > >
> > 
> > I'm having some issues with this problem.
> > 
> > samba-tool -U <myuser> user password
> > 
> > gives me the error:
> > 
> > samba-tool: error: no such option: -U
>
> No, the syntax is wrong, it should be:
>
> samba-tool user password -U <myuser>
>
> This will then prompt the user for their 'oldpassword' and then the
new
> password (twice). There is a gotcha though, as given it will only work
> on a DC, to do the password change from a Unix domain member, you need
> to add '--ipaddress=DCIPADDRESS'
I'll try that after I've figured out what the user's expiration
status is. With respect to this
command, would the full syntax be:

samba-tool user password -U <myuser> --ipaddress=192.168.0.2

I've tried that with no syntax error, but haven't pulled the trigger yet
to change the
password. I've also tried --ipaddress=dchostname which also did not give a
syntax error.
> > I did successfully change my domain password with kpasswd.  I was
> > able to log into Linux and Windows workstations, Dovecot client, and
> > a web site which uses ntml_auth.  I checked the
> > msDS-UserPasswordExpiryTimeComputed and it was 89 days (the domain
> > setting is max 90 days).  I checked the next day (yesterday) and it
> > was still 89 days.  I went to log into the Windows workstation and
> > Linux workstation today and was locked out! This is exactly the same
> > thing that happened when I used passwd (see above). 
> > 
> > Any idea why?
>
> Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> ldbsearch below ? If so, is the result actually '89' are you using
some
> calculation to get '89' ? I ask this because I would expect the
> attribute to contain something like '9223372036854775807'
Yes, the same ldbsearch.  In fact, that and the calculation were given to me by
you a couple of
years ago.  The rest of the calculation is:

expireDate=$((($expireTime/10000000)-11644473600))
today=`date +%s`
togo=$((($expireDate-$today)/86400))

where $expireTime is the value returned by ldbsearch grep'ped for
msDS-UserPasswordExpiryTimeComputed.
> > I'd like to try using smbpasswd next, but before I do I'd like
to see
> > the current msDS-UserPasswordExpiryTimeComputed. Of course, I cannot
> > do this as my user because I can't log in. Is there a way to see
this
> > value as the domain administrator? I've tried:
> > 
> > /usr/bin/ldbsearch --url=ldap://mail -b "DC=hprs,DC=local"
-k yes -s
> > sub
"(&(sAMAccountType=805306368)(sAMAccountName=myuser))"
> > msDS-UserPasswordExpiryTimeComputed
> > 
> > but that is asking for myuser's password, even as Dom Admin.
> > 
> > How can I view the user's password expiration settings?
>
> If you are trying to find out if the users password has expired or is
> near to, you can use rpcclient for this.
>
> Rowland
I did the following:

# rpcclient -U "" -N 192.168.0.2    
rpcclient $> enumdomusers
:
user:[mark] rid:[0x457]
:
rpcclient $> queryuser 0x457
        User Name   :   mark
        Full Name   :   Mark Foley
(empty lines removed)
        Logon Time               :      Thu, 29 Mar 2018 17:12:54 EDT
        Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
        Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
        Password last set Time   :      Wed, 28 Mar 2018 23:59:08 EDT
        Password can change Time :      Wed, 28 Mar 2018 23:59:08 EDT
        Password must change Time:      Wed, 27 Jun 2018 00:00:11 EDT
        unknown_2[0..31]...
        user_rid :      0x457
        group_rid:      0x201
        acb_info :      0x00000010
        fields_present: 0x08ffffff
        logon_divs:     168
        bad_password_count:     0x00000001
        logon_count:    0x00000000
        padding1[0..7]...
        logon_hrs[0..21]...

Not sure I see where the expiration is except that Kickoff Time is set to Dec
31st, 1969 which
is likely a zero in that field. Is that the problem?

Why would passwd and kpasswd not reset that?

--Mark

On Sat, 31 Mar 2018 11:42:07 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Sat, 31 Mar 2018 12:25:14 +0100 Rowland Penny <rpenny at
samba.org>
> wrote:
> >
> > This will then prompt the user for their 'oldpassword' and
then the
> > new password (twice). There is a gotcha though, as given it will
> > only work on a DC, to do the password change from a Unix domain
> > member, you need to add '--ipaddress=DCIPADDRESS'
> 
> I'll try that after I've figured out what the user's expiration
> status is. With respect to this command, would the full syntax be:
> 
> samba-tool user password -U <myuser> --ipaddress=192.168.0.2
> 
> I've tried that with no syntax error, but haven't pulled the
trigger
> yet to change the password. I've also tried --ipaddress=dchostname
> which also did not give a syntax error.
Never tried it with the hostname, but I think the option name gives a
big hint ;-)
> > Are you reading 'msDS-UserPasswordExpiryTimeComputed' with the
> > ldbsearch below ? If so, is the result actually '89' are you
using
> > some calculation to get '89' ? I ask this because I would
expect the
> > attribute to contain something like '9223372036854775807'
> 
> Yes, the same ldbsearch.  In fact, that and the calculation were
> given to me by you a couple of years ago.  The rest of the
> calculation is:
> 
OK
> >
> > If you are trying to find out if the users password has expired or
> > is near to, you can use rpcclient for this.
> 
> I did the following:
> 
> # rpcclient -U "" -N 192.168.0.2    
> rpcclient $> enumdomusers
> :
> user:[mark] rid:[0x457]
> :
> rpcclient $> queryuser 0x457
>         User Name   :   mark
>         Full Name   :   Mark Foley
> (empty lines removed)
>         Logon Time               :      Thu, 29 Mar 2018 17:12:54 EDT
>         Logoff Time              :      Wed, 31 Dec 1969 19:00:00 EST
>         Kickoff Time             :      Wed, 31 Dec 1969 19:00:00 EST
>         Password last set Time   :      Wed, 28 Mar 2018 23:59:08 EDT
>         Password can change Time :      Wed, 28 Mar 2018 23:59:08 EDT
>         Password must change Time:      Wed, 27 Jun 2018 00:00:11 EDT
> Not sure I see where the expiration is except that Kickoff Time is
> set to Dec 31st, 1969 which is likely a zero in that field. Is that
> the problem?
When the users password expires it must be changed (hint, hint) ;-)
Or an even bigger hint, the user needs to change their password before
the 27th of June
 
> 
> Why would passwd and kpasswd not reset that?
I have no real idea, but it might have something to do with neither of
having anything to do with AD.

Rowland