[Samba] change passord sssd-client

15 views
Skip to first unread message

josé Roberto via samba

unread,
Mar 20, 2017, 3:50:02 PM3/20/17
to
Hi,

I'm trying to migrate to samba4 and had the following issue:
I have SSSD configured to authenticate users on linux machines that I get
from a samba4 service through LDAP endpoint. Users are successfuly
authenticated in the system, but I can't manage to change password of these
users from command line. When I try to use passwd command, i got the
following:
Password change failed. Server message: Extended
Operation(1.3.6.1.4.1.4203.1.11.1) not supported
passwd: Authentication token manipulation error
passwd: password unchanged
I saw in another forums that it's possible to bypass this error changing
permissions from the user that is authenticating on LDAP base to write
other users passwords, but in this case it's a samba4 base using a LDAP
interface. Is it possible to grant this kind of permission to the user
authenticating through LDAP?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Andrew Bartlett via samba

unread,
Mar 20, 2017, 4:30:03 PM3/20/17
to
On Mon, 2017-03-20 at 16:38 -0300, josé Roberto via samba wrote:
> Hi,
>
> I'm trying to migrate to samba4 and had the following issue:
> I have SSSD configured to authenticate users on linux machines that I
> get
> from a samba4 service through LDAP endpoint. Users are successfuly
> authenticated in the system, but I can't manage to change password of
> these
> users from command line. When I try to use passwd command, i got the
> following:
> Password change failed. Server message: Extended
> Operation(1.3.6.1.4.1.4203.1.11.1) not supported
> passwd: Authentication token manipulation error
> passwd: password unchanged
> I saw in another forums that it's possible to bypass this error
> changing
> permissions from the user that is authenticating on LDAP base to
> write
> other users passwords, but in this case it's a samba4 base using a
> LDAP
> interface. Is it possible to grant this kind of permission to the
> user
> authenticating through LDAP?

sssd should be able to change passwords over kpasswd or ldap (with the
AD method, which is over unicodePwd), but sadly Samba does not support
the extended operation method yet. We would love to support it, but
that requires engineering at this stage.

Sorry,

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Reply all
Reply to author
Forward
0 new messages