Dr. Peer-Joachim Koch
2018-Mar-27 09:57 UTC
[Samba] remote password change, if password is expired
Hi,
we have a couple of users which "forget" to change the passwords even
if
they get an reminder.
Normally we tell them to use a windows machine, where you can change
your password if it's expired.
But how can a remote user change his password if it's expired ?
Is there any secure solution for this ?
--
Bye,
Peer
________________________________________________________
Max-Planck-Institut für Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10 Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705
Hi Peer-Joachim,> we have a couple of users which "forget" to change the passwords even if > they get an reminder. > Normally we tell them to use a windows machine, where you can change > your password if it's expired. > > But how can a remote user change his password if it's expired ? > > Is there any secure solution for this ?"Normally we tell them to use a windows machine" -> so I'll assume you are on a Linux machine. I think you'll have to do your expired password update through an LDAP query. You can get some inspiration from this page [1] or from the bugzilla entry [2] of the recent security issue. In any case you'll need to have SSL, and I guess a valid (from your desktop point of view) certificate on your DC, to use this type of LDAP query. Cheers, Denis [1] https://www.cs.bham.ac.uk/~smp/resources/ad-passwds/ [2] https://bugzilla.samba.org/show_bug.cgi?id=13272#c1 -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil.it Samba install wiki for Frenchies : https://dev.tranquil.it WAPT, software deployment made easy : https://wapt.fr
Marco Gaiarin
2018-Mar-27 12:29 UTC
[Samba] remote password change, if password is expired
Mandi! Dr. Peer-Joachim Koch via samba In chel di` si favelave...> we have a couple of users which "forget" to change the passwords even if > they get an reminder. > Normally we tell them to use a windows machine, where you can change your > password if it's expired. > But how can a remote user change his password if it's expired ? > Is there any secure solution for this ?...for things like that, normally i use: https://github.com/chip-rosenthal/web-chpass -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hi, if you like to write something on your own using PHP you can use this library: https://github.com/ldaptools/ldaptools Then ask the users on the webpage for their username and password and bind with it to the LDAP. Then you've to send an delete request of the unicodePwd field with the old password and then an add request with the new password. Both requests have to be in one query otherwise samba is denying the change. The password is encoded in UTF-16-LE. The library has a class to convert it: https://github.com/ldaptools/ldaptools/blob/1cd40e7524f5bc1697f0d8ac0f1778cc4058cc66/src/LdapTools/AttributeConverter/EncodeWindowsPassword.php ________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Marco Gaiarin via samba <samba at lists.samba.org> Sent: Tuesday, March 27, 2018 2:29:35 PM To: samba at lists.samba.org Subject: Re: [Samba] remote password change, if password is expired Mandi! Dr. Peer-Joachim Koch via samba In chel di` si favelave...> we have a couple of users which "forget" to change the passwords even if > they get an reminder. > Normally we tell them to use a windows machine, where you can change your > password if it's expired. > But how can a remote user change his password if it's expired ? > Is there any secure solution for this ?...for things like that, normally i use: https://github.com/chip-rosenthal/web-chpass -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba