Roel van Meer
2015-Apr-14 15:30 UTC
[Samba] Samba AD changing a user's password as non-root user
Hi!
I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a
way to
change the password of a user from the command line, as a non-root user.
I know I can use 'smbpasswd', 'samba-tool user setpassword', or
'samba-tool
user password', but these all seem to require root privileges. When I run
them as root, they work, but when I run them as non-root user, I get:
user1a at test-s4ad:~$ smbpasswd -U dago
Old SMB password:
New SMB password:
Retype new SMB password:
SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was
127.0.0.1, but LANMAN password changes are disabled
or
user1a at test-s4ad:~$ samba-tool user password -U dago
Password for [S4\dago]:
New Password:
Retype Password:
ERROR: Failed to change password : samr_ChangePasswordUser3 for
'S4\dago' failed: NT_STATUS_ACCESS_DENIED
So, is there a possibility to change the password of one user with a
commandline tool run by another user (provided he has the old password, of
course)?
Thanks a lot,
Roel
PS: In case it matters, my (stripped down) smb.conf is:
[global]
workgroup = S4
realm = s4.local
netbios name = TEST-S4AD
server string = test-s4ad
server role = active directory domain controller
server role check:inhibit = yes
server services = s3fs rpc wrepl ldap cldap kdc drepl winbind ntp_signd kcc
dnsupdate dns
security = auto
idmap_ldb:use rfc2307 = yes
interfaces = 192.168.3.3/24 127.255.255.255/8
bind interfaces only = Yes
hosts allow = 192.168.3.0/255.255.255.0 127.0.0.1 LOCAL/unixdom
dns forwarder = 127.0.0.2
I've already tried adding:
lanman auth = Yes
client lanman auth = Yes
but that didn't change anything.
Andrey Repin
2015-Apr-14 23:06 UTC
[Samba] Samba AD changing a user's password as non-root user
Greetings, Roel van Meer!> I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a way to > change the password of a user from the command line, as a non-root user.> I know I can use 'smbpasswd', 'samba-tool user setpassword', or 'samba-tool > user password', but these all seem to require root privileges. When I run > them as root, they work, but when I run them as non-root user, I get:> user1a at test-s4ad:~$ smbpasswd -U dago > Old SMB password: > New SMB password: > Retype new SMB password: > SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was > 127.0.0.1, but LANMAN password changes are disabled> or> user1a at test-s4ad:~$ samba-tool user password -U dago > Password for [S4\dago]: > New Password: > Retype Password: > ERROR: Failed to change password : samr_ChangePasswordUser3 for 'S4\dago' failed: NT_STATUS_ACCESS_DENIED> So, is there a possibility to change the password of one user with a > commandline tool run by another user (provided he has the old password, of > course)?> Thanks a lot,> Roel> PS: In case it matters, my (stripped down) smb.conf is:> [global] > workgroup = S4 > realm = s4.local > netbios name = TEST-S4AD > server string = test-s4ad > server role = active directory domain controllerAre you actually trying to do it on a domain controller? Then this just won't work.> server role check:inhibit = yes > server services = s3fs rpc wrepl ldap cldap kdc drepl winbind ntp_signd kcc dnsupdate dns > security = auto > idmap_ldb:use rfc2307 = yes > interfaces = 192.168.3.3/24 127.255.255.255/8 > bind interfaces only = Yes > hosts allow = 192.168.3.0/255.255.255.0 127.0.0.1 LOCAL/unixdom> dns forwarder = 127.0.0.2> I've already tried adding:> lanman auth = Yes > client lanman auth = Yes> but that didn't change anything.-- With best regards, Andrey Repin Wednesday, April 15, 2015 02:05:36 Sorry for my terrible english...
Rowland Penny
2015-Apr-15 13:44 UTC
[Samba] Samba AD changing a user's password as non-root user
On 14/04/15 16:30, Roel van Meer wrote:> Hi! > > I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a > way to change the password of a user from the command line, as a > non-root user. > > I know I can use 'smbpasswd', 'samba-tool user setpassword', or > 'samba-tool user password', but these all seem to require root > privileges. When I run them as root, they work, but when I run them as > non-root user, I get: > > user1a at test-s4ad:~$ smbpasswd -U dago > Old SMB password: > New SMB password: > Retype new SMB password: > SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was > 127.0.0.1, but LANMAN password changes are disabled > > or > > user1a at test-s4ad:~$ samba-tool user password -U dago > Password for [S4\dago]: > New Password: > Retype Password: > ERROR: Failed to change password : samr_ChangePasswordUser3 for > 'S4\dago' failed: NT_STATUS_ACCESS_DENIED > > So, is there a possibility to change the password of one user with a > commandline tool run by another user (provided he has the old > password, of course)? > > Thanks a lot, > > Roel > > > PS: In case it matters, my (stripped down) smb.conf is: > > [global] > workgroup = S4 > realm = s4.local > netbios name = TEST-S4AD > server string = test-s4ad > server role = active directory domain controller > server role check:inhibit = yes > server services = s3fs rpc wrepl ldap cldap kdc drepl winbind > ntp_signd kcc dnsupdate dns > security = auto > idmap_ldb:use rfc2307 = yes > interfaces = 192.168.3.3/24 127.255.255.255/8 > bind interfaces only = Yes > hosts allow = 192.168.3.0/255.255.255.0 127.0.0.1 LOCAL/unixdom > > dns forwarder = 127.0.0.2 > > I've already tried adding: > > lanman auth = Yes > client lanman auth = Yes > > but that didn't change anything.The problem here is you seem to be asking for two different things, change a users password & reset a users password. You might think they are the same thing, but in AD land they are different. To reset a users password, you need the users old password and the new one, but to change a users password you just need the users new password. I have a script that will change a users password, but it will not reset it. Rowland
Denis Cardon
2015-Apr-15 16:27 UTC
[Samba] Samba AD changing a user's password as non-root user
Hi Roel,> I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a > way to change the password of a user from the command line, as a > non-root user. > > I know I can use 'smbpasswd', 'samba-tool user setpassword', or > 'samba-tool user password', but these all seem to require root > privileges. When I run them as root, they work, but when I run them as > non-root user, I get: > > user1a at test-s4ad:~$ smbpasswd -U dago > Old SMB password: > New SMB password: > Retype new SMB password: > SAMR connection to machine NT_STATUS_ACCESS_DENIED failed. Error was > 127.0.0.1, but LANMAN password changes are disabled > > or > > user1a at test-s4ad:~$ samba-tool user password -U dago > Password for [S4\dago]: > New Password: > Retype Password: > ERROR: Failed to change password : samr_ChangePasswordUser3 for > 'S4\dago' failed: NT_STATUS_ACCESS_DENIED > > So, is there a possibility to change the password of one user with a > commandline tool run by another user (provided he has the old password, > of course)?you can use the kpasswd command, it should do what you want. Cheers, Denis> > Thanks a lot, > > Roel > > > PS: In case it matters, my (stripped down) smb.conf is: > > [global] > workgroup = S4 > realm = s4.local > netbios name = TEST-S4AD > server string = test-s4ad > server role = active directory domain controller > server role check:inhibit = yes > server services = s3fs rpc wrepl ldap cldap kdc drepl winbind > ntp_signd kcc dnsupdate dns > security = auto > idmap_ldb:use rfc2307 = yes > interfaces = 192.168.3.3/24 127.255.255.255/8 > bind interfaces only = Yes > hosts allow = 192.168.3.0/255.255.255.0 127.0.0.1 LOCAL/unixdom > > dns forwarder = 127.0.0.2 > > I've already tried adding: > > lanman auth = Yes > client lanman auth = Yes > > but that didn't change anything.-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Roel van Meer
2015-Apr-20 07:33 UTC
[Samba] Samba AD changing a user's password as non-root user
Denis Cardon writes:>> I'm using Samba in an AD setup, (version 4.2.0) and I'm looking for a >> way to change the password of a user from the command line, as a >> non-root user. > > you can use the kpasswd command, it should do what you want.Indeed it does! Thanks a lot! Cheers, Roel