Changing password for Administrator in Samba4

Now when you have a successful running Samba4 domain server, you might come across a time when you will have to change the Administrator password. Let me show you the steps to do the same:
Let us verify the details of the current password. As soon as you create a Kerberos password for authentication against clients it creates a expiration date of the password.

The klist command displays the contents of a Kerberos credentials cache or key table.

-e : Displays the encryption type for the session key and the ticket.

# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.COM

Valid starting     Expires            Service principal
03/25/13 05:46:08  03/25/13 15:46:08  krbtgt/EXAMPLE.COM@EXAMPLE.COM
       renew until 03/26/13 05:46:04, Etype (skey, tkt): arcfour-hmac, arcfour-hmac


Now to change the current administrator password

# kpasswd
Password for administrator@EXAMPLE.COM:
Enter new password:
Enter it again:
Password changed.

How to Reset Administrator Password

In case you forgot the administrator password then no need to panic as you can reset the password by logging physically into the domain server box

# samba-tool user setpassword Administrator
New Password:
Enter it again:
Password changed.

Related Articles
Samba 4.1 as Active Directory configuration guide
How to configure Linux client to join samba4 domain

3 thoughts on “Changing password for Administrator in Samba4”

  1. Hi,

    I am not able to join system on Domain controller in Samba4 setup. Also replicaiton fail.

    $ samba-tool drs showrepl
    ldb_wrap open of secrets.ldb
    GENSEC backend 'gssapi_spnego' registered
    GENSEC backend 'gssapi_krb5' registered
    GENSEC backend 'gssapi_krb5_sasl' registered
    GENSEC backend 'spnego' registered
    GENSEC backend 'schannel' registered
    GENSEC backend 'naclrpc_as_system' registered
    GENSEC backend 'sasl-EXTERNAL' registered
    GENSEC backend 'ntlmssp' registered
    GENSEC backend 'http_basic' registered
    GENSEC backend 'http_ntlm' registered
    GENSEC backend 'krb5' registered
    GENSEC backend 'fake_gssapi_krb5' registered
    Using binding ncacn_ip_tcp:pdc.example.com[,seal]
    resolve_lmhosts: Attempting lmhosts lookup for name pdc.example.com
    resolve_lmhosts: Attempting lmhosts lookup for name pdc.example.com
    Wrong username or password: kinit for PDC$@EXAMPLE.COM failed (Preauthentication failed)

    SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
    Got challenge flags:
    Got NTLMSSP neg_flags=0x60898235
    NTLMSSP: Set final flags:
    Got NTLMSSP neg_flags=0x60088235
    NTLMSSP Sign/Seal - Initialising with flags:
    Got NTLMSSP neg_flags=0x60088235
    Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:10.0.1.200[1024,seal,target_hostname=pdc.example.com,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=10.0.1.200] NT_STATUS_LOGON_FAILURE
    ERROR(): DRS connection to pdc.example.com failed - drsException: DRS connection to pdc.example.com failed: (-1073741715, 'Logon failure')
    File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/drs.py", line 41, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
    File "/usr/local/samba/lib64/python2.6/site-packages/samba/drs_utils.py", line 54, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

    Reply

Leave a Comment