samba - Jan 2016 - Change user Password with smbpasswd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"samba-tool user setpassword" works fine, but I don't want all
"normal" Users to connect to the Domaincontroller to change their
password. So I tried it with smbpasswd as it was mentioned in many
places. I know that smbpasswd is normaly for NT-Domains but somehow
also an AD-User must be able to change his password. passwd is also
not working as I read in the other thread in this list.
I normaly provide a web-base solution for changing Password, but there
should be a way to change the password on the commandline.
Here you see an output with debuglevel set to 4:
- ------------------------
EXAMPLE\stefan at sambabuch-c1:~$ smbpasswd -D 4 -r $(nslookup
_ldap._tcp.dc._msdcs.example.net | awk '{print $2;exit;}')
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384
)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = example
doing parameter realm = EXAMPLE.NET
doing parameter security = ADS
doing parameter winbind refresh tickets = Yes
doing parameter template shell = /bin/bash
doing parameter idmap config * : range = 10000 - 19999
doing parameter idmap config EXAMPLE : backend = rid
doing parameter idmap config EXAMPLE : range = 1000000 - 1999999
doing parameter interfaces = 192.168.56.41
doing parameter bind interfaces only = yes
doing parameter winbind offline logon = yes
doing parameter kerberos method = secrets and keytab
pm_process() returned Yes
added interface enp0s8 ip=192.168.56.41 bcast=192.168.56.255
netmask=255.255.255.0
Old SMB password:
New SMB password:
Retype new SMB password:
Connecting to 192.168.56.11 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_SEAL
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
machine 192.168.56.11 rejected the password change: Error was : Wrong
Password.
- ------------------------
As far as I can see there is no Problem connecting the DC.

Stefan

Am 19.01.2016 um 18:03 schrieb Rowland penny:
> On 19/01/16 16:30, Stefan Kania wrote: Hello, I try to change a
> userpassword with smbpasswd. But I allway get an errormessage: 
> ----------- root at sambabuch-c1:~# smbpasswd -U EXAMPLE\\stefan -r
> `nslookup _ldap._tcp.dc._msdcs.example.net | awk '{print
> $2;exit;}'` Old SMB password: New SMB password: Retype new SMB
> password: machine 192.168.56.11 rejected the password change: Error
> was : Wrong Password. ----------- The Client is a valid Member of
> the Domain: ----------- root at sambabuch-c1:~# net ads testjoin Join
> is OK ----------- Everything else works inside the domain, only a
> user can't change his password. What's wrong?
> 
> 
> Stefan
> 
> 
>> 
> 
> It looks to me like you are trying to use an NT tool to change an
> AD password, have you tried 'samba-tool user setpasswd' instead.
> 
> It may help if you supply a bit more info, OS, Samba version,
> smb.conf etc
> 
> Rowland
> 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlaecTAACgkQ2JOGcNAHDTa9FACaA49EVZHwnmLKTYSiDoAM4oIX
CBUAnAnY1BBfjq2u86eDiP5vN4qCCsw/
=Skan
-----END PGP SIGNATURE-----

On 19/01/16 17:24, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "samba-tool user setpassword" works fine, but I don't want
all
> "normal" Users to connect to the Domaincontroller to change their
> password.
Hang on, you don't want your users to connect to the place where their 
passwords are stored ????
> So I tried it with smbpasswd as it was mentioned in many
> places. I know that smbpasswd is normaly for NT-Domains but somehow
> also an AD-User must be able to change his password. passwd is also
> not working as I read in the other thread in this list.
> I normaly provide a web-base solution for changing Password, but there
> should be a way to change the password on the commandline.
> Here you see an output with debuglevel set to 4:
> - ------------------------
> EXAMPLE\stefan at sambabuch-c1:~$ smbpasswd -D 4 -r $(nslookup
> _ldap._tcp.dc._msdcs.example.net | awk '{print $2;exit;}')
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384
> )
> params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> Processing section "[global]"
> doing parameter workgroup = example
> doing parameter realm = EXAMPLE.NET
> doing parameter security = ADS
> doing parameter winbind refresh tickets = Yes
> doing parameter template shell = /bin/bash
> doing parameter idmap config * : range = 10000 - 19999
> doing parameter idmap config EXAMPLE : backend = rid
> doing parameter idmap config EXAMPLE : range = 1000000 - 1999999
> doing parameter interfaces = 192.168.56.41
> doing parameter bind interfaces only = yes
> doing parameter winbind offline logon = yes
> doing parameter kerberos method = secrets and keytab
> pm_process() returned Yes
> added interface enp0s8 ip=192.168.56.41 bcast=192.168.56.255
> netmask=255.255.255.0
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Connecting to 192.168.56.11 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_TARGET_INFO
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_TARGET_INFO
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088235
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_SEAL
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> machine 192.168.56.11 rejected the password change: Error was : Wrong
> Password.
> - ------------------------
> As far as I can see there is no Problem connecting the DC.
Yet here you are happy for them to connect to a DC with smbpasswd ???

I think you actually want 'samba-tool user password'

Rowland

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 19.01.16 um 19:38 schrieb Rowland penny:
> On 19/01/16 17:24, Stefan Kania wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> "samba-tool user setpassword" works fine, but I don't
want all
>> "normal" Users to connect to the Domaincontroller to change
>> their password.
> 
> Hang on, you don't want your users to connect to the place where
> their passwords are stored ????
No, why should they, the Windows-users don't have to connect to the
Domaincontroller to change their password, they can do it on their
machine. So it should be the same on a Linux-client. The user
authenticate on his client and should change his password on it. The
user should not do an ssh-connection to the DC to change his password.

On a DC I have no shares no printers so no user must access the DC.

> 
>> So I tried it with smbpasswd as it was mentioned in many places.
>> I know that smbpasswd is normaly for NT-Domains but somehow also
>> an AD-User must be able to change his password. passwd is also 
>> not working as I read in the other thread in this list. I normaly
>> provide a web-base solution for changing Password, but there 
>> should be a way to change the password on the commandline. Here
>> you see an output with debuglevel set to 4: -
>> ------------------------ EXAMPLE\stefan at sambabuch-c1:~$ smbpasswd
>> -D 4 -r $(nslookup _ldap._tcp.dc._msdcs.example.net | awk '{print
>> $2;exit;}') lp_load_ex: refreshing parameters Initialising global
>> parameters rlimit_max: increasing rlimit_max (1024) to minimum
>> Windows limit (16384 ) params.c:pm_process() - Processing
>> configuration file "/etc/samba/smb.conf" Processing section
>> "[global]" doing parameter workgroup = example doing
parameter
>> realm = EXAMPLE.NET doing parameter security = ADS doing
>> parameter winbind refresh tickets = Yes doing parameter template
>> shell = /bin/bash doing parameter idmap config * : range = 10000
>> - 19999 doing parameter idmap config EXAMPLE : backend = rid 
>> doing parameter idmap config EXAMPLE : range = 1000000 - 1999999 
>> doing parameter interfaces = 192.168.56.41 doing parameter bind
>> interfaces only = yes doing parameter winbind offline logon >>
yes doing parameter kerberos method = secrets and keytab
>> pm_process() returned Yes added interface enp0s8 ip=192.168.56.41
>> bcast=192.168.56.255 netmask=255.255.255.0 Old SMB password: New
>> SMB password: Retype new SMB password: Connecting to
>> 192.168.56.11 at port 445 Doing spnego session setup (blob
>> length=96) got OID=1.2.840.48018.1.2.2 got
>> OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got
>> principal=not_defined_in_RFC4178 at please_ignore Got challenge
>> flags: Got NTLMSSP neg_flags=0x60898215 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM 
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 
>> NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_128 
>> NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP
>> neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE 
>> NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 
>> NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with
>> flags: Got NTLMSSP neg_flags=0x60088215 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM 
>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 
>> NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH GENSEC backend
>> 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5'
>> registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC
>> backend 'schannel' registered GENSEC backend 'spnego'
registered
>> GENSEC backend 'ntlmssp' registered GENSEC backend
'krb5'
>> registered GENSEC backend 'fake_gssapi_krb5' registered Got
>> challenge flags: Got NTLMSSP neg_flags=0x60898235 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL 
>> NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_TARGET_INFO 
>> NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set
>> final flags: Got NTLMSSP neg_flags=0x60088235 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL 
>> NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 
>> NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with
>> flags: Got NTLMSSP neg_flags=0x60088235 
>> NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET 
>> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_SEAL 
>> NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN 
>> NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 
>> NTLMSSP_NEGOTIATE_KEY_EXCH machine 192.168.56.11 rejected the
>> password change: Error was : Wrong Password. -
>> ------------------------ As far as I can see there is no Problem
>> connecting the DC.
> 
> Yet here you are happy for them to connect to a DC with smbpasswd
> ???
> 
no, as long as the password-change fails.

Stefan
> I think you actually want 'samba-tool user password'
> 
> Rowland
> 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iEYEARECAAYFAlaen+EACgkQ2JOGcNAHDTbiVACgpsy365FhOpION2HhINdSNHwR
N+gAmgKMQ7eSY9WMqwB8KjJsJS8bb9Fk
=WVvh
-----END PGP SIGNATURE-----