change passord sssd-client

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

change passord sssd-client

Samba - General mailing list
Hi,

I'm trying to migrate to samba4 and had the following issue:
I have SSSD configured to authenticate users on linux machines that I get
from a samba4 service through LDAP endpoint. Users are successfuly
authenticated in the system, but I can't manage to change password of these
users from command line. When I try to use passwd command, i got the
following:
Password change failed. Server message: Extended
Operation(1.3.6.1.4.1.4203.1.11.1) not supported
passwd: Authentication token manipulation error
passwd: password unchanged
I saw in another forums that it's possible to bypass this error changing
permissions from the user that is authenticating on LDAP base to write
other users passwords, but in this case it's a samba4 base using a LDAP
interface. Is it possible to grant this kind of permission to the user
authenticating through LDAP?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: change passord sssd-client

Samba - General mailing list
On Mon, 2017-03-20 at 16:38 -0300, josé Roberto via samba wrote:

> Hi,
>
> I'm trying to migrate to samba4 and had the following issue:
> I have SSSD configured to authenticate users on linux machines that I
> get
> from a samba4 service through LDAP endpoint. Users are successfuly
> authenticated in the system, but I can't manage to change password of
> these
> users from command line. When I try to use passwd command, i got the
> following:
> Password change failed. Server message: Extended
> Operation(1.3.6.1.4.1.4203.1.11.1) not supported
> passwd: Authentication token manipulation error
> passwd: password unchanged
> I saw in another forums that it's possible to bypass this error
> changing
> permissions from the user that is authenticating on LDAP base to
> write
> other users passwords, but in this case it's a samba4 base using a
> LDAP
> interface. Is it possible to grant this kind of permission to the
> user
> authenticating through LDAP?

sssd should be able to change passwords over kpasswd or ldap (with the
AD method, which is over unicodePwd), but sadly Samba does not support
the extended operation method yet.  We would love to support it, but
that requires engineering at this stage.

Sorry,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba