On Tue, 27 Mar 2018 13:38:56 -0400 Mark Foley wrote:> > On Mon, 26 Mar 2018 08:08:53 +0200 Michael Wandel <m.wandel at t-online.de> wrote: > > > > Am 26.03.2018 um 06:31 schrieb Mark Foley via samba: > > > As a normal user, I want to change my Domain Password. I've tried: > > > > > > $ samba-tool user setpassword myuserId --newpassword='mynewpassword' > > > > > > but get the error: > > > > > > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file > > > /var/lib/samba/private/sam.ldb: Permission denied > > > > > > Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied > > > Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': Unable to open > > > tdb '/var/lib/samba/private/sam.ldb': Permission denied > > > ERROR(ldb): uncaught exception - Unable to open tdb '/var/lib/samba/private/sam.ldb': > > > Permission denied > > > File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run > > > return self.run(*args, **kwargs) > > > File "/usr/lib64/python2.7/site-packages/samba/netcmd/user.py", line 602, in run > > > credentials=creds, lp=lp) > > > File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in __init__ > > > options=options) > > > File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 115, in __init__ > > > self.connect(url, flags, options) > > > File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in connect > > > options=options) > > > > > > How do I do this? > > > > > > > I don't think it's a good idea to change your password direct on the DC > > with a normal user login. You don't have rights to the "holy" sam.ldb. > > > > I'll refer the way to change the password from a joined linuxclient, by > > example via pam with the normal passwd program or kpasswd (if you have > > kerberos clients progs installed) or from a joined windows client. > > > > I'm trying this from a domain member, and from a yad script that run upon login and checks the > expiration of the password. It was a script given to me by Roland, but proably he expected the > change to be done from root. > > I can change the pw using the normal 'passwd', and that does change the domain crentials, but > as this is done in a script, I need something that will work with stdin. I've triled chpasswd, > but that is only permitted by root. The following did work for me in the yad script: > > passwd <<EOF > $oldpw > $newpw > $newpw > EOF >Actually, that didn't quite work. It did change the domain password, but didn't reset the expiration days. So today, when the previous password was set to expire. My account was locked out. I had to log onto the AD/DC as the Domain Administrator and do 'samba-tool user setpassword'. Suggestions on how I can get the expiration back to the 'Maximum password age' value?
Andrew Bartlett
2018-Mar-28 07:14 UTC
[Samba] How to change Domain password as normal user?
On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote:> > Actually, that didn't quite work. It did change the domain password, but didn't reset the > expiration days. So today, when the previous password was set to expire. My account was locked > out. I had to log onto the AD/DC as the Domain Administrator and do 'samba-tool user setpassword'. > > Suggestions on how I can get the expiration back to the 'Maximum password age' value?This sounds very strange. Are you sure the password changed on the DC? Did the msDS-KeyVersionNumber change, did the pwdLastSet change? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Wed, 28 Mar 2018 03:09:43 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> On Tue, 27 Mar 2018 13:38:56 -0400 Mark Foley wrote: > > > > On Mon, 26 Mar 2018 08:08:53 +0200 Michael Wandel > > <m.wandel at t-online.de> wrote: > > > > > > Am 26.03.2018 um 06:31 schrieb Mark Foley via samba: > > > > As a normal user, I want to change my Domain Password. I've > > > > tried: > > > > > > > > $ samba-tool user setpassword myuserId > > > > --newpassword='mynewpassword' > > > > > > > > but get the error: > > > > > > > > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could > > > > not open file /var/lib/samba/private/sam.ldb: Permission denied > > > > > > > > Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission > > > > denied Failed to connect to > > > > 'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb': > > > > Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission > > > > denied ERROR(ldb): uncaught exception - Unable to open tdb > > > > '/var/lib/samba/private/sam.ldb': Permission denied File > > > > "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > > > > line 175, in _run return self.run(*args, **kwargs) File > > > > "/usr/lib64/python2.7/site-packages/samba/netcmd/user.py", line > > > > 602, in run credentials=creds, lp=lp) File > > > > "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, > > > > in __init__ options=options) File > > > > "/usr/lib64/python2.7/site-packages/samba/__init__.py", line > > > > 115, in __init__ self.connect(url, flags, options) File > > > > "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, > > > > in connect options=options) > > > > > > > > How do I do this? > > > > > > > > > > I don't think it's a good idea to change your password direct on > > > the DC with a normal user login. You don't have rights to the > > > "holy" sam.ldb. > > >You are getting the error message because the samba-tool command is trying to open sam.ldb on the Unix domain member and it doesn't exists there. You can change a users password from a Unix domain member with 'setpassword', but you would need to add '-H ldap://dc.samdom.example.com' to the command and also add an admin user & password e.g. -U Administrator --password=ADMINISTRATOR_PASSWORD A user can also change their own password with samba-tool, but they would need to use the 'password' subcommand. Rowland
On Wed, 28 Mar 2018 20:14:00 +1300 Andrew Bartlett <abartlet at samba.org> wrote:> > On Wed, 2018-03-28 at 03:09 -0400, Mark Foley via samba wrote: > > > > Actually, that didn't quite work. It did change the domain password, but didn't reset the > > expiration days. So today, when the previous password was set to expire. My account was locked > > out. I had to log onto the AD/DC as the Domain Administrator and do 'samba-tool user setpassword'. > > > > Suggestions on how I can get the expiration back to the 'Maximum password age' value? > > This sounds very strange. Are you sure the password changed on the DC? > Did the msDS-KeyVersionNumber change, did the pwdLastSet change?Yes, I know it changed on the DC because I was able to use the new password to log into another Windows workstation, and I use the domain credential to log into an internal web application. All these worked with the new PW. Later, I checked the Linux workstation's /etc/passwd to make sure there was no entry for my user (there wasn't). It does seem strange. Unfortunately, I did not check either msDS-KeyVersionNumber or pwdLastSet or even ldbsearch to get msDS-UserPasswordExpiryTimeComputed before I reset the user pw from the domain administrator. Next time! In this thread I've been given 3 more ideas on how to do this: samba-tool -U <myuser> user password smbpasswd kpasswd I'll try each and see which works best for me.
Marco Gaiarin
2018-Jun-15 16:30 UTC
[Samba] samba-tool user password/setpassword and password change timestamp...
Mandi! Mark Foley via samba In chel di` si favelave... I'll go back to that old thread.> Actually, that didn't quite work. It did change the domain password, but didn't reset the > expiration days. So today, when the previous password was set to expire. My account was locked > out. I had to log onto the AD/DC as the Domain Administrator and do 'samba-tool user setpassword'.Seems also to me that 'samba-tool user passwd' and 'samba-tool user setpasswd' does not set password change timestamp, so users remain in 'password expired state'. I'll try to debug that issue better in next days, i hope... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Marco Gaiarin
2018-Jun-18 10:42 UTC
[Samba] samba-tool user password/setpassword and password change timestamp...
Ok, some more info. But still all situation is not clear.
I've setup a wrapper around 'check password script' (for my old NT
like
domains) and 'samba-tool user syncpasswords' for my new AD domain.
In the ''consumer'' script in the AD side, that receive password
from
NT domains, at the last i do:
samba-tool user setpassword <user> --option="check password
script"="" --newpassword="NEWPass"
and effectively users get password propagated correctly.
But some users (roughly at least 50%, so seems not a ''glitch'')
have
password changed BUT last password change not updated, so tipically
they login and the new domain ask for password change (or say that
account is disabled).
I've done some ''manual test'', and all seems to work as
expected:
Initial:
Unix username: gaio
NT username:
Account Flags: [U ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory: \\HOMESV\Users\gaio
HomeDir Drive: P:
Logon Script:
Profile Path: \\HOMESV\profiles\gaio
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: lun, 18 giu 2018 11:45:24 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: lun, 07 mag 2018 12:22:50 CEST
Password can change: lun, 07 mag 2018 12:22:50 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
After a:
root at vdcsv1:~# samba-tool user setpassword gaio --option="check
password script"="" --newpassword="NotThisPass"
Changed password OK
Now is:
Unix username: gaio
NT username:
Account Flags: [U ]
User SID: S-1-5-21-160080369-3601385002-3131615632-1105
Primary Group SID: S-1-5-21-160080369-3601385002-3131615632-513
Full Name: Marco Gaiarin
Home Directory: \\HOMESV\Users\gaio
HomeDir Drive: P:
Logon Script:
Profile Path: \\HOMESV\profiles\gaio
Domain:
Account desc: Marco Gaiarin
Workstations:
Munged dial:
Logon time: lun, 18 giu 2018 11:45:24 CEST
Logoff time: 0
Kickoff time: gio, 14 set 30828 04:48:05 CEST
Password last set: lun, 18 giu 2018 12:18:13 CEST
Password can change: lun, 18 giu 2018 12:18:13 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
and also:
root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b
"DC=ad,DC=fvg,DC=lnf,DC=it" "(sAMAccountName=gaio)"
msDS-UserPasswordExpiryTimeComputed pwdLastSet | egrep
'^(msDS-UserPasswordExpiryTimeCompu
pwdLastSet: 131737906930682280
msDS-UserPasswordExpiryTimeComputed: 131815666930682280
root at vdcsv1:~# bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation,
Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'.
131815666930682280-131737906930682280
77760000000000
and matches.
How could be?! Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)