Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Change user Password with smbpasswd
80 views
Skip to first unread message
Stefan Kania
Jan 19, 2016, 12:00:04 PM1/19/16
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I try to change a userpassword with smbpasswd. But I allway get an
errormessage:
- -----------
root@sambabuch-c1:~# smbpasswd -U EXAMPLE\\stefan -r `nslookup
_ldap._tcp.dc._msdcs.example.net | awk '{print $2;exit;}'`
Old SMB password:
New SMB password:
Retype new SMB password:
machine 192.168.56.11 rejected the password change: Error was : Wrong
Password.
- -----------
The Client is a valid Member of the Domain:
- -----------
root@sambabuch-c1:~# net ads testjoin
Join is OK
- -----------
Everything else works inside the domain, only a user can't change his
password. What's wrong?
Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlaeZI0ACgkQ2JOGcNAHDTYNQQCfQdM5GW6pZvURo4nL52GKaCEv
0GIAnimjX9hYDdz08D8uH4XOWFr3r6lm
=M2OW
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Hash: SHA1
Hello,
I try to change a userpassword with smbpasswd. But I allway get an
errormessage:
- -----------
root@sambabuch-c1:~# smbpasswd -U EXAMPLE\\stefan -r `nslookup
_ldap._tcp.dc._msdcs.example.net | awk '{print $2;exit;}'`
Old SMB password:
New SMB password:
Retype new SMB password:
machine 192.168.56.11 rejected the password change: Error was : Wrong
Password.
- -----------
The Client is a valid Member of the Domain:
- -----------
root@sambabuch-c1:~# net ads testjoin
Join is OK
- -----------
Everything else works inside the domain, only a user can't change his
password. What's wrong?
Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlaeZI0ACgkQ2JOGcNAHDTYNQQCfQdM5GW6pZvURo4nL52GKaCEv
0GIAnimjX9hYDdz08D8uH4XOWFr3r6lm
=M2OW
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Jan 19, 2016, 12:10:04 PM1/19/16
to
password, have you tried 'samba-tool user setpasswd' instead.
It may help if you supply a bit more info, OS, Samba version, smb.conf etc
Rowland
Stefan Kania
Jan 19, 2016, 12:30:06 PM1/19/16
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"samba-tool user setpassword" works fine, but I don't want all
Hash: SHA1
"normal" Users to connect to the Domaincontroller to change their
password. So I tried it with smbpasswd as it was mentioned in many
places. I know that smbpasswd is normaly for NT-Domains but somehow
also an AD-User must be able to change his password. passwd is also
not working as I read in the other thread in this list.
I normaly provide a web-base solution for changing Password, but there
should be a way to change the password on the commandline.
Here you see an output with debuglevel set to 4:
- ------------------------
EXAMPLE\stefan@sambabuch-c1:~$ smbpasswd -D 4 -r $(nslookup
_ldap._tcp.dc._msdcs.example.net | awk '{print $2;exit;}')
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384
)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = example
doing parameter realm = EXAMPLE.NET
doing parameter security = ADS
doing parameter winbind refresh tickets = Yes
doing parameter template shell = /bin/bash
doing parameter idmap config * : range = 10000 - 19999
doing parameter idmap config EXAMPLE : backend = rid
doing parameter idmap config EXAMPLE : range = 1000000 - 1999999
doing parameter interfaces = 192.168.56.41
doing parameter bind interfaces only = yes
doing parameter winbind offline logon = yes
doing parameter kerberos method = secrets and keytab
pm_process() returned Yes
added interface enp0s8 ip=192.168.56.41 bcast=192.168.56.255
netmask=255.255.255.0
Old SMB password:
New SMB password:
Retype new SMB password:
Connecting to 192.168.56.11 at port 445
New SMB password:
Retype new SMB password:
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x60898235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088235
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_SEAL
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
machine 192.168.56.11 rejected the password change: Error was : Wrong
Password.
- ------------------------
Password.
As far as I can see there is no Problem connecting the DC.
Stefan
Am 19.01.2016 um 18:03 schrieb Rowland penny:
> On 19/01/16 16:30, Stefan Kania wrote: Hello, I try to change a
> userpassword with smbpasswd. But I allway get an errormessage:
> ----------- root@sambabuch-c1:~# smbpasswd -U EXAMPLE\\stefan -r
> `nslookup _ldap._tcp.dc._msdcs.example.net | awk '{print
> $2;exit;}'` Old SMB password: New SMB password: Retype new SMB
> password: machine 192.168.56.11 rejected the password change: Error
> was : Wrong Password. ----------- The Client is a valid Member of
> `nslookup _ldap._tcp.dc._msdcs.example.net | awk '{print
> $2;exit;}'` Old SMB password: New SMB password: Retype new SMB
> password: machine 192.168.56.11 rejected the password change: Error
> the Domain: ----------- root@sambabuch-c1:~# net ads testjoin Join
> is OK ----------- Everything else works inside the domain, only a
> user can't change his password. What's wrong?
>
>
> Stefan
>
>
>>
>
>
>
> Stefan
>
>
>>
>
> It looks to me like you are trying to use an NT tool to change an
> AD password, have you tried 'samba-tool user setpasswd' instead.
>
> It may help if you supply a bit more info, OS, Samba version,
> smb.conf etc
>
> Rowland
>
> AD password, have you tried 'samba-tool user setpasswd' instead.
>
> It may help if you supply a bit more info, OS, Samba version,
> smb.conf etc
>
> Rowland
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlaecTAACgkQ2JOGcNAHDTa9FACaA49EVZHwnmLKTYSiDoAM4oIX
Version: GnuPG v2.0.22 (GNU/Linux)
CBUAnAnY1BBfjq2u86eDiP5vN4qCCsw/
=Skan
-----END PGP SIGNATURE-----
Rowland penny
Jan 19, 2016, 1:50:04 PM1/19/16
to
On 19/01/16 17:24, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "samba-tool user setpassword" works fine, but I don't want all
> "normal" Users to connect to the Domaincontroller to change their
> password.
Hang on, you don't want your users to connect to the place where their
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "samba-tool user setpassword" works fine, but I don't want all
> "normal" Users to connect to the Domaincontroller to change their
> password.
passwords are stored ????
I think you actually want 'samba-tool user password'
Rowland
Stefan Kania
Jan 19, 2016, 3:50:05 PM1/19/16
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 19.01.16 um 19:38 schrieb Rowland penny:
Hash: SHA1
> On 19/01/16 17:24, Stefan Kania wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> "samba-tool user setpassword" works fine, but I don't want all
>> "normal" Users to connect to the Domaincontroller to change
>> their password.
>
> Hang on, you don't want your users to connect to the place where
> their passwords are stored ????
No, why should they, the Windows-users don't have to connect to the
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> "samba-tool user setpassword" works fine, but I don't want all
>> "normal" Users to connect to the Domaincontroller to change
>> their password.
>
> Hang on, you don't want your users to connect to the place where
> their passwords are stored ????
Domaincontroller to change their password, they can do it on their
machine. So it should be the same on a Linux-client. The user
authenticate on his client and should change his password on it. The
user should not do an ssh-connection to the DC to change his password.
On a DC I have no shares no printers so no user must access the DC.
Stefan
> I think you actually want 'samba-tool user password'
>
> Rowland
>
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iEYEARECAAYFAlaen+EACgkQ2JOGcNAHDTbiVACgpsy365FhOpION2HhINdSNHwR
N+gAmgKMQ7eSY9WMqwB8KjJsJS8bb9Fk
=WVvh
-----END PGP SIGNATURE-----
Rowland penny
Jan 19, 2016, 4:30:04 PM1/19/16
to
See inline comments:
On 19/01/16 20:43, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 19.01.16 um 19:38 schrieb Rowland penny:
>> On 19/01/16 17:24, Stefan Kania wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> "samba-tool user setpassword" works fine, but I don't want all
>>> "normal" Users to connect to the Domaincontroller to change
>>> their password.
>> Hang on, you don't want your users to connect to the place where
>> their passwords are stored ????
> No, why should they, the Windows-users don't have to connect to the
> Domaincontroller to change their password, they can do it on their
> machine.
Yes, they do it on their machines by connecting to a DC and changing it
there.
Unless you are confusing a local user with a domain user.
> So it should be the same on a Linux-client. The user
> authenticate on his client and should change his password on it.
Ah no, a Unix user still authenticates to the DC and that it is where it
must change the password.
> The
> user should not do an ssh-connection to the DC to change his password.
Again you do not need to use ssh to change a users password, you can,
but why would you.
>
> On a DC I have no shares no printers so no user must access the DC.
Wrong, what about sysvol and netlogon.
Rowland
On 19/01/16 20:43, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 19.01.16 um 19:38 schrieb Rowland penny:
>> On 19/01/16 17:24, Stefan Kania wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> "samba-tool user setpassword" works fine, but I don't want all
>>> "normal" Users to connect to the Domaincontroller to change
>>> their password.
>> Hang on, you don't want your users to connect to the place where
>> their passwords are stored ????
> No, why should they, the Windows-users don't have to connect to the
> Domaincontroller to change their password, they can do it on their
> machine.
there.
Unless you are confusing a local user with a domain user.
> So it should be the same on a Linux-client. The user
> authenticate on his client and should change his password on it.
must change the password.
> The
> user should not do an ssh-connection to the DC to change his password.
but why would you.
>
> On a DC I have no shares no printers so no user must access the DC.
Rowland
0 new messages