Linux samba change password

How to Manage Samba4 AD Infrastructure from Linux Command Line – Part 2

This tutorial will cover some basic daily commands you need to use in order to manage Samba4 AD Domain Controller infrastructure, such as adding, removing, disabling or listing users and groups.

We’ll also take a look on how to manage domain security policy and how to bind AD users to local PAM authentication in order for AD users to be able to perform local logins on Linux Domain Controller.

Requirements

Step 1: Manage Samba AD DC from Command Line

1. Samba AD DC can be managed through samba-tool command line utility which offers a great interface for administrating your domain.

With the help of samba-tool interface you can directly manage domain users and groups, domain Group Policy, domain sites, DNS services, domain replication and other critical domain functions.

To review the entire functionality of samba-tool just type the command with root privileges without any option or parameter.

2. Now, let’s start using samba-tool utility to administer Samba4 Active Directory and manage our users.

In order to create a user on AD use the following command:

# samba-tool user add your_domain_user

To add a user with several important fields required by AD, use the following syntax:

3. A listing of all samba AD domain users can be obtained by issuing the following command:

4. To delete a samba AD domain user use the below syntax:

# samba-tool user delete your_domain_user

5. Reset a samba domain user password by executing the below command:

# samba-tool user setpassword your_domain_user

6. In order to disable or enable an samba AD User account use the below command:

# samba-tool user disable your_domain_user # samba-tool user enable your_domain_user

7. Likewise, samba groups can be managed with the following command syntax:

--------- review all options --------- # samba-tool group add –h # samba-tool group add your_domain_group

8. Delete a samba domain group by issuing the below command:

# samba-tool group delete your_domain_group

9. To display all samba domain groups run the following command:

10. To list all the samba domain members in a specific group use the command:

# samba-tool group listmembers "your_domain group"

11. Adding/Removing a member from a samba domain group can be done by issuing one of the following commands:

# samba-tool group addmembers your_domain_group your_domain_user # samba-tool group remove members your_domain_group your_domain_user

12. As mentioned earlier, samba-tool command line interface can also be used to manage your samba domain policy and security.

To review your samba domain password settings use the below command:

# samba-tool domain passwordsettings show

13. In order to modify samba domain password policy, such as the password complexity level, password ageing, length, how many old password to remember and other security features required for a Domain Controller use the below screenshot as a guide.

---------- List all command options ---------- # samba-tool domain passwordsettings -h

Never use the password policy rules as illustrated above on a production environment. The above settings are used just for demonstration purposes.

Step 2: Samba Local Authentication Using Active Directory Accounts

14. By default, AD users cannot perform local logins on the Linux system outside Samba AD DC environment.

In order to login on the system with an Active Directory account you need to make the following changes on your Linux system environment and modify Samba4 AD DC.

First, open samba main configuration file and add the below lines, if missing, as illustrated on the below screenshot.

$ sudo nano /etc/samba/smb.conf

Make sure the following statements appear on the configuration file:

winbind enum users = yes winbind enum groups = yes

15. After you’ve made the changes, use testparm utility to make sure no errors are found on samba configuration file and restart samba daemons by issuing the below command.

$ testparm $ sudo systemctl restart samba-ad-dc.service

16. Next, we need to modify local PAM configuration files in order for Samba4 Active Directory accounts to be able to authenticate and open a session on the local system and create a home directory for users at first login.

Use the pam-auth-update command to open PAM configuration prompt and make sure you enable all PAM profiles using [space] key as illustrated on the below screenshot.

When finished hit [Tab] key to move to Ok and apply changes.

17. Now, open /etc/nsswitch.conf file with a text editor and add winbind statement at the end of the password and group lines as illustrated on the below screenshot.

18. Finally, edit /etc/pam.d/common-password file, search for the below line as illustrated on the below screenshot and remove the use_authtok statement.

This setting assures that Active Directory users can change their password from command line while authenticated in Linux. With this setting on, AD users authenticated locally on Linux cannot change their password from console.

password [success=1 default=ignore] pam_winbind.so try_first_pass

Remove use_authtok option each time PAM updates are installed and applied to PAM modules or each time you execute pam-auth-update command.

19. Samba4 binaries comes with a winbindd daemon built-in and enabled by default.

For this reason you’re no longer required to separately enable and run winbind daemon provided by winbind package from official Ubuntu repositories.

In case the old and deprecated winbind service is started on the system make sure you disable it and stop the service by issuing the below commands:

$ sudo systemctl disable winbind.service $ sudo systemctl stop winbind.service

Although, we no longer need to run old winbind daemon, we still need to install Winbind package from repositories in order to install and use wbinfo tool.

Wbinfo utility can be used to query Active Directory users and groups from winbindd daemon point of view.

The following commands illustrates how to query AD users and groups using wbinfo.

$ wbinfo -g $ wbinfo -u $ wbinfo -i your_domain_user

20. Apart from wbinfo utility you can also use getent command line utility to query Active Directory database from Name Service Switch libraries which are represented in /etc/nsswitch.conf file.

Pipe getent command through a grep filter in order to narrow the results regarding just your AD realm user or group database.

# getent passwd | grep TECMINT # getent group | grep TECMINT

Step 3: Login in Linux with an Active Directory User

21. In order to authenticate on the system with a Samba4 AD user, just use the AD username parameter after su — command.

At the first login a message will be displayed on the console which notifies you that a home directory has been created on /home/$DOMAIN/ system path with the mane of your AD username.

Use id command to display extra information about the authenticated user.

# su - your_ad_user $ id $ exit

22. To change the password for an authenticated AD user type passwd command in console after you have successfully logged into the system.

23. By default, Active Directory users are not granted with root privileges in order to perform administrative tasks on Linux.

To grant root powers to an AD user you must add the username to the local sudo group by issuing the below command.

Make sure you enclose the realm, slash and AD username with single ASCII quotes.

# usermod -aG sudo 'DOMAIN\your_domain_user'

To test if AD user has root privileges on the local system, login and run a command, such as apt-get update, with sudo permissions.

# su - tecmint_user $ sudo apt-get update

24. In case you want to add root privileges for all accounts of an Active Directory group, edit /etc/sudoers file using visudo command and add the below line after root privileges line, as illustrated on the below screenshot:

%DOMAIN\\your_domain\ group ALL=(ALL:ALL) ALL

Pay attention to sudoers syntax so you don’t break things out.

Sudoers file doesn’t handles very well the use of ASCII quotation marks, so make sure you use % to denote that you’re referring to a group and use a backslash to escape the first slash after the domain name and another backslash to escape spaces if your group name contains spaces (most of AD built-in groups contain spaces by default). Also, write the realm with uppercases.

That’s all for now! Managing Samba4 AD infrastructure can be also achieved with several tools from Windows environment, such as ADUC, DNS Manager, GPM or other, which can be obtained by installing RSAT package from Microsoft download page.

To administer Samba4 AD DC through RSAT utilities, it’s absolutely necessary to join the Windows system into Samba4 Active Directory. This will be the subject of our next tutorial, till then stay tuned to TecMint.

Источник

Method for users to change Samba password

I have a Samba server for about 5 users (security = user) and I want a way for these users to change their passwords without my involvement so I have the following idea. Is this secure? Is there a better (as in more simple) approach. We used to have SWAT for this but no more.

On server: create restricted user (/bin/rbash + PATH to single directory)

$ sudo adduser --shell /bin/rbash pwchange $ cat /etc/passwd pwchange:x:1001:1001:pwchange. /home/pwchange:/bin/rbash $ sudo vi /home/pwchange/.bashrc Add: export PATH=/usr/local/pwchange $ sudo ln -s /usr/bin/smbpasswd /usr/local/pwchange/smbpasswd 

This idea here is that only the sambpasswd command can be run by the pwchange user. The unix accounts for the Samba users do not have passwords (i.e. log on via these accounts not allowed). The samba users would only be able to use this restricted account for self service Samba password changes . no exploring the server!

Client: Change Samba password via Terminal or Putty (Windows)

user1@A3700:~$ ssh pwchange@192.168.1.14 pwchange@V220:~$ smbpasswd -U user1 Old SMB password: New SMB password: Retype new SMB password: Password changed for user user1 

But I thought smbpasswd was meant for users and admin alike to change their passwords. Is that what you want?

In this case the Unix accounts of the users do not have passwords, therefore, user1 cannot log on as user1@192.168.1.14. The Samba server was setup as «security = user» and file restrictions were set in smb.conf. Users were not allowed a Unix logon as the underlying Unix file permissions were more permissive than the combination of Samba and Unix file permissions (Unix extended ACLs were not used.)

At my college we had a self serving portal which users can auth using id and sms verification, and in the background we issued the smbpasswd command

1 Answer 1

Giving them all access to the same dummy account doesn’t sound smart. Even if you lock it down to have access to nothing BUT smbpasswd they could still change eachother’s passwords. And there’s always possibility of a malicious privilege escalation attack.

Essentially what it sounds like you want is to allow them to run ONLY the smbpasswd command from their own user account while still having an equivalent to a nologin account.

This can be accomplished with the use of the «ForceCommand» option in your sshd_config.

Grant each user with a Samba account membership to the same group. For our example let’s say «sambaOnly»:

#From Root groupadd sambaOnly usermod -a -G sambaOnly Joe 

#From Root cat > /etc/ssh/sshd_config Match Group sambaOnly ForceCommand smbpasswd EOF 

Presto. From my understanding (and brief testing) this means when they login via SSH they will automatically have the smbpasswd command run and they will be prompted accordingly. They will never get the chance to have shell access. After the command completes they are automatically disconnected, again never getting a chance to have shell access.

I am not 100% sure this removes all access to the machine remotely. For example, if you are running a different SSH server on the same machine that doesn’t ForceCommand them, then they could login via that depending on its access control config.

Also, if they have the opportunity for physical access to a terminal they can login.

However, I think for most situations this is fairly strong access control.

Источник