Hi, if you like to write something on your own using PHP you can use this library: https://github.com/ldaptools/ldaptools Then ask the users on the webpage for their username and password and bind with it to the LDAP. Then you've to send an delete request of the unicodePwd field with the old password and then an add request with the new password. Both requests have to be in one query otherwise samba is denying the change. The password is encoded in UTF-16-LE. The library has a class to convert it: https://github.com/ldaptools/ldaptools/blob/1cd40e7524f5bc1697f0d8ac0f1778cc4058cc66/src/LdapTools/AttributeConverter/EncodeWindowsPassword.php ________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Marco Gaiarin via samba <samba at lists.samba.org> Sent: Tuesday, March 27, 2018 2:29:35 PM To: samba at lists.samba.org Subject: Re: [Samba] remote password change, if password is expired Mandi! Dr. Peer-Joachim Koch via samba In chel di` si favelave...> we have a couple of users which "forget" to change the passwords even if > they get an reminder. > Normally we tell them to use a windows machine, where you can change your > password if it's expired. > But how can a remote user change his password if it's expired ? > Is there any secure solution for this ?...for things like that, normally i use: https://github.com/chip-rosenthal/web-chpass -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Marco Gaiarin
2018-Mar-27 13:44 UTC
[Samba] remote password change, if password is expired
Mandi! Waishon via samba In chel di` si favelave...> > if you like to write something on your own using PHP you can use this library: > https://github.com/ldaptools/ldaptools > Then ask the users on the webpage for their username and password and bind with it to the LDAP. > Then you've to send an delete request of the unicodePwd field with the old password and then an add request with the new password. Both requests have to be in one query otherwise samba is denying the change.Good hint! Thanks! But i think that in this way password policy and 'check password script' are not honoured, eg you modify directly the LDAP data without password quality checks. For this reason i prefere to use ''standard'' tools, eg PAM/winbind. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hi, I don't know if the password check script is executed if you change the password using samba. You can simply test it: Download "LdapAdmin": http://www.ldapadmin.org Connect to your DC as a user. Then navigate to your user object and click on "Set password" in the context menu. Then you can verify if your script will be executed. Other options like the password length or password complexity will work when you set the password directly with LDAP. ________________________________ From: samba <samba-bounces at lists.samba.org> on behalf of Marco Gaiarin via samba <samba at lists.samba.org> Sent: Tuesday, March 27, 2018 3:44:18 PM To: samba at lists.samba.org Subject: Re: [Samba] remote password change, if password is expired Mandi! Waishon via samba In chel di` si favelave...> > if you like to write something on your own using PHP you can use this library: > https://github.com/ldaptools/ldaptools > Then ask the users on the webpage for their username and password and bind with it to the LDAP. > Then you've to send an delete request of the unicodePwd field with the old password and then an add request with the new password. Both requests have to be in one query otherwise samba is denying the change.Good hint! Thanks! But i think that in this way password policy and 'check password script' are not honoured, eg you modify directly the LDAP data without password quality checks. For this reason i prefere to use ''standard'' tools, eg PAM/winbind. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2018-Mar-27 17:17 UTC
[Samba] remote password change, if password is expired
On Tue, 2018-03-27 at 15:44 +0200, Marco Gaiarin via samba wrote:> Mandi! Waishon via samba > In chel di` si favelave... > > > > > if you like to write something on your own using PHP you can use this library: > > https://github.com/ldaptools/ldaptools > > Then ask the users on the webpage for their username and password and bind with it to the LDAP. > > Then you've to send an delete request of the unicodePwd field with the old password and then an add request with the new password. Both requests have to be in one query otherwise samba is denying the change. > > Good hint! Thanks! > > > But i think that in this way password policy and 'check password > script' are not honoured, eg you modify directly the LDAP data without > password quality checks.The password policy checks are, in active directory, applied even on LDAP password changes. To change an expired password the bind needs to be as a service user and the password change needs to then reference the expired user (which is the part we got subtly wrong in the security issue earlier this month).> For this reason i prefere to use ''standard'' tools, eg PAM/winbind.pam_winbind should do it. It uses the SAMR password change but binds to SAMR as the machine account, so should be able to change an expired password. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba