samba - Apr 2019 - Difficulties retrieving randomly assigned password for newly created Samba user acounts

Hi everyone, I am using Samba 4.5.16-Debian on Raspbian and thanks to 
the help offered by everyone here I now finally have a mostly-working 
Active Directory network.
I am now at the stage of creating inidividual user accounts for my 
domain and unfortunately I have a very basic but fundamental problem! I 
currently enter the following input at the command-line to create a new 
user on my DC:

pi at ad1:~ $ sudo samba-tool user create "$USERNAME" 
--given-name="$GIVENNAME" --surname="$SURNAME"
--mail-address="$EMAIL"
--company="$COMPANY" --random-password --must-change-at-next-login 
--nis-domain="$WIN_DOMAIN" --unix-home="$UNIXHOMEFOLDERPATH"
--home-drive="H" --home-directory="$WINDOWSHOMEFOLDERPATH" 
--login-shell="/usr/bin/git-shell" --uid-number="$UIDNUMBER"
--gid-number=10000 -U "administrator%$SAMBA_ADMIN_PASSWORD"
User 'stephenellwood' created successfully

After entering this, you see I get a confirmation prompt indicating my 
user was created. When I hop onto my domain fileserver, I can see the 
new user, and this gives me additional confidence this has actually been 
created:

pi at fs1:~ $ wbinfo -u
stephenellwood
administrator
krbtgt
guest

In the switches passed to samba-tool previously you will see that I have 
requested a both a *random password* and that *this must be changed at 
the next login*. Crucially though, how do I find out what 
stephenellwood's randomly assigned password actually is so I can login 
to this account for the first time?  Without this I am stuck - I have a 
new user account with an unknown randomised password and thus cannot login.

Ultimately since I couldn't retrieve the random password for 
stephenellwood I then attempted to reset stephenellwood's password 
manually myself to a known string value using samba-tool. Unfortunately 
this also didn't seem to work:

sudo samba-tool user password --newpassword="$NEWPASSWORD" -U 
"Administrator"
Password for [OSSL\Administrator]:
ERROR: Failed to change password : (-1073741716, 
"samr_ChangePasswordUser3 for 'OSSL\\Administrator' failed: 
NT_STATUS_PASSWORD_RESTRICTION")

I would really appreciate any help and advice anybody can offer 
regarding this matter as I am now stuck at this point :)

Thanks
Stephen Ellwood

What the password is, is in the output on you screen, if not, then script it. 

kinit Administrator

# function random password.
RANDOMPASSWD(){ < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-16};echo; }

# Pull a random into USERPASS
USERPASS="$(RANDOMPASSWD)"

# And create your user. 
sudo samba-tool user create "$USERNAME"
--given-name="$GIVENNAME" --surname="$SURNAME" \
 --mail-address="$EMAIL" --company="$COMPANY"
--password="$USERPASS" --must-change-at-next-login \
 --nis-domain="$WIN_DOMAIN"
--unix-home="$UNIXHOMEFOLDERPATH" \
 --home-drive="H" --home-directory="$WINDOWSHOMEFOLDERPATH"
\
 --login-shell="/usr/bin/git-shell"
--uid-number="$UIDNUMBER" \
  --gid-number=10000 -k 

Echo "$USERNAME:${USERPASS}" >> new-users.txt

Something like that. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stephen via samba
> Verzonden: maandag 29 april 2019 11:11
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Difficulties retrieving randomly assigned 
> password for newly created Samba user acounts
> 
> Hi everyone, I am using Samba 4.5.16-Debian on Raspbian and thanks to 
> the help offered by everyone here I now finally have a mostly-working 
> Active Directory network.
> I am now at the stage of creating inidividual user accounts for my 
> domain and unfortunately I have a very basic but fundamental 
> problem! I 
> currently enter the following input at the command-line to 
> create a new 
> user on my DC:
> 
> pi at ad1:~ $ sudo samba-tool user create "$USERNAME" 
> --given-name="$GIVENNAME" --surname="$SURNAME" 
> --mail-address="$EMAIL" 
> --company="$COMPANY" --random-password
--must-change-at-next-login
> --nis-domain="$WIN_DOMAIN"
--unix-home="$UNIXHOMEFOLDERPATH"
> --home-drive="H"
--home-directory="$WINDOWSHOMEFOLDERPATH"
> --login-shell="/usr/bin/git-shell"
--uid-number="$UIDNUMBER"
> --gid-number=10000 -U "administrator%$SAMBA_ADMIN_PASSWORD"
> User 'stephenellwood' created successfully
> 
> After entering this, you see I get a confirmation prompt 
> indicating my 
> user was created. When I hop onto my domain fileserver, I can see the 
> new user, and this gives me additional confidence this has 
> actually been 
> created:
> 
> pi at fs1:~ $ wbinfo -u
> stephenellwood
> administrator
> krbtgt
> guest
> 
> In the switches passed to samba-tool previously you will see 
> that I have 
> requested a both a *random password* and that *this must be 
> changed at 
> the next login*. Crucially though, how do I find out what 
> stephenellwood's randomly assigned password actually is so I 
> can login 
> to this account for the first time?  Without this I am stuck 
> - I have a 
> new user account with an unknown randomised password and thus 
> cannot login.
> 
> Ultimately since I couldn't retrieve the random password for 
> stephenellwood I then attempted to reset stephenellwood's password 
> manually myself to a known string value using samba-tool. 
> Unfortunately 
> this also didn't seem to work:
> 
> sudo samba-tool user password --newpassword="$NEWPASSWORD" -U 
> "Administrator"
> Password for [OSSL\Administrator]:
> ERROR: Failed to change password : (-1073741716, 
> "samr_ChangePasswordUser3 for 'OSSL\\Administrator' failed: 
> NT_STATUS_PASSWORD_RESTRICTION")
> 
> I would really appreciate any help and advice anybody can offer 
> regarding this matter as I am now stuck at this point :)
> 
> Thanks
> Stephen Ellwood
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Okay, thanks everyone. After I posted I eventually found an answer to my 
question. Basically, I was doing things wrong here, and the 
--random-password switch to samba-tool  not intended to be used with 
user accounts at all - it's actually intended to be used with system 
accounts only. By design it seems it doesn't report back on the random 
password that is set.

Previously from Rowland in 2015:

"The whole idea of --random-password is to create a random password for
users that *don't* really need a password i.e. system services

If you want random passwords for users, then either use one of the many
password generators you can find on the internet, or write your own
script."

Thanks
Stephen Ellwood


On 29/04/2019 10:34, L.P.H. van Belle via samba wrote:
>   
> What the password is, is in the output on you screen, if not, then script
it.
>
> kinit Administrator
>
> # function random password.
> RANDOMPASSWD(){ < /dev/urandom tr -dc _A-Z-a-z-0-9 | head
-c${1:-16};echo; }
>
> # Pull a random into USERPASS
> USERPASS="$(RANDOMPASSWD)"
>
> # And create your user.
> sudo samba-tool user create "$USERNAME"
--given-name="$GIVENNAME" --surname="$SURNAME" \
>   --mail-address="$EMAIL" --company="$COMPANY"
--password="$USERPASS" --must-change-at-next-login \
>   --nis-domain="$WIN_DOMAIN"
--unix-home="$UNIXHOMEFOLDERPATH" \
>   --home-drive="H"
--home-directory="$WINDOWSHOMEFOLDERPATH" \
>   --login-shell="/usr/bin/git-shell"
--uid-number="$UIDNUMBER" \
>    --gid-number=10000 -k
>
> Echo "$USERNAME:${USERPASS}" >> new-users.txt
>
> Something like that.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Stephen via samba
>> Verzonden: maandag 29 april 2019 11:11
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Difficulties retrieving randomly assigned
>> password for newly created Samba user acounts
>>
>> Hi everyone, I am using Samba 4.5.16-Debian on Raspbian and thanks to
>> the help offered by everyone here I now finally have a mostly-working
>> Active Directory network.
>> I am now at the stage of creating inidividual user accounts for my
>> domain and unfortunately I have a very basic but fundamental
>> problem! I
>> currently enter the following input at the command-line to
>> create a new
>> user on my DC:
>>
>> pi at ad1:~ $ sudo samba-tool user create "$USERNAME"
>> --given-name="$GIVENNAME" --surname="$SURNAME"
>> --mail-address="$EMAIL"
>> --company="$COMPANY" --random-password
--must-change-at-next-login
>> --nis-domain="$WIN_DOMAIN"
--unix-home="$UNIXHOMEFOLDERPATH"
>> --home-drive="H"
--home-directory="$WINDOWSHOMEFOLDERPATH"
>> --login-shell="/usr/bin/git-shell"
--uid-number="$UIDNUMBER"
>> --gid-number=10000 -U "administrator%$SAMBA_ADMIN_PASSWORD"
>> User 'stephenellwood' created successfully
>>
>> After entering this, you see I get a confirmation prompt
>> indicating my
>> user was created. When I hop onto my domain fileserver, I can see the
>> new user, and this gives me additional confidence this has
>> actually been
>> created:
>>
>> pi at fs1:~ $ wbinfo -u
>> stephenellwood
>> administrator
>> krbtgt
>> guest
>>
>> In the switches passed to samba-tool previously you will see
>> that I have
>> requested a both a *random password* and that *this must be
>> changed at
>> the next login*. Crucially though, how do I find out what
>> stephenellwood's randomly assigned password actually is so I
>> can login
>> to this account for the first time?  Without this I am stuck
>> - I have a
>> new user account with an unknown randomised password and thus
>> cannot login.
>>
>> Ultimately since I couldn't retrieve the random password for
>> stephenellwood I then attempted to reset stephenellwood's password
>> manually myself to a known string value using samba-tool.
>> Unfortunately
>> this also didn't seem to work:
>>
>> sudo samba-tool user password --newpassword="$NEWPASSWORD" -U
>> "Administrator"
>> Password for [OSSL\Administrator]:
>> ERROR: Failed to change password : (-1073741716,
>> "samr_ChangePasswordUser3 for 'OSSL\\Administrator'
failed:
>> NT_STATUS_PASSWORD_RESTRICTION")
>>
>> I would really appreciate any help and advice anybody can offer
>> regarding this matter as I am now stuck at this point :)
>>
>> Thanks
>> Stephen Ellwood
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>