0

I'm using Mac OS X, with the machine not joined to the domain. Some file shares in the company are now on the domain, and logging into these has just started causing failures, telling me that my password has expired.

So now I have to figure out how to change my password.

Following the solutions to the same question answered here lead to trying various things but nothing worked, which is why I ended up having to post a new question even though the description is very similar.

The first problem was not knowing the DC address. Someone addressed that in the other solutions as well.

$ dig -t SRV _ldap._tcp.dc._msdcs.acme.com

; <<>> DiG 9.8.3-P1 <<>> -t SRV _ldap._tcp.dc._msdcs.acme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27127
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 8

;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.acme.com. IN  SRV

;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.acme.com. 600 IN   SRV 0 100 389 hndc02.acme.com.
_ldap._tcp.dc._msdcs.acme.com. 600 IN   SRV 0 100 389 hndc01.acme.com.
_ldap._tcp.dc._msdcs.acme.com. 600 IN   SRV 0 100 389 sfdc02.acme.com.
_ldap._tcp.dc._msdcs.acme.com. 600 IN   SRV 0 100 389 sydc03.acme.com.
_ldap._tcp.dc._msdcs.acme.com. 600 IN   SRV 0 100 389 nvdc01.acme.com.
_ldap._tcp.dc._msdcs.acme.com. 600 IN   SRV 0 100 389 chdc01.acme.com.
_ldap._tcp.dc._msdcs.acme.com. 600 IN   SRV 0 100 389 chdc02.acme.com.
_ldap._tcp.dc._msdcs.acme.com. 600 IN   SRV 0 100 389 ckdc01.acme.com.

;; ADDITIONAL SECTION:
hndc02.acme.com.    3600    IN  A   10.50.2.6
hndc01.acme.com.    3600    IN  A   10.50.2.5
sfdc02.acme.com.    3600    IN  A   10.90.2.5
sydc03.acme.com.    3600    IN  A   10.10.2.5
nvdc01.acme.com.    3600    IN  A   10.70.2.5
chdc01.acme.com.    3600    IN  A   10.30.2.5
chdc02.acme.com.    3600    IN  A   10.30.2.6
ckdc01.acme.com.    3600    IN  A   10.110.2.5

;; Query time: 2 msec
;; SERVER: 10.10.2.5#53(10.10.2.5)
;; WHEN: Thu Jun 23 10:02:55 2016
;; MSG SIZE  rcvd: 455

The different DCs correspond to different regional offices, so I picked 10.10.2.5 to try. I'm not sure whether the username here is supposed to include the domain or not, so I ended up having to try both. But both give NT_STATUS_ACCESS_DENIED. I have no idea whether this means "your login is incorrect" or "your login is correct but we're not going to let you change your password".

$ smbpasswd -r 10.10.2.5 -U JSmith01@acme.com
Old SMB password:
New SMB password:
Retype new SMB password:
machine 10.10.2.5 rejected the session setup. Error was : NT_STATUS_ACCESS_DENIED.
$ smbpasswd -r 10.10.2.5 -U JSmith01
Old SMB password:
New SMB password:
Retype new SMB password:
machine 10.10.2.5 rejected the session setup. Error was : NT_STATUS_ACCESS_DENIED.

Asking someone else in the office about the network setup, they gave me a different IP address to try. This gave me a different error message, but again I'm not sure whether it means my old password was wrong, or the new password was wrong, or something else. Though I know the password I provided is correct, because it had previously worked with other services.

$ smbpasswd -r 10.10.20.6 -U JSmith01@acme.com
Old SMB password:
New SMB password:
Retype new SMB password:
machine 10.10.20.6 rejected the password change: Error was : Wrong Password.
$ smbpasswd -r 10.10.20.6 -U JSmith01
Old SMB password:
New SMB password:
Retype new SMB password:
machine 10.10.20.6 rejected the password change: Error was : Wrong Password.

What's the next thing to try?

Community
  • 1
Hakanai
  • 173
  • 9
  • Your going to have to join the compute to domain in order to solve your problem. – Ramhound Jun 23 '16 at 02:24
  • And you should ask your IT department for help. – DavidPostill Jun 23 '16 at 15:54
  • Neither of these things seem likely to happen. I'm not joining a domain run by system administrators who can't even keep basic stuff working for long enough for me to go on a holiday and come back to a working network. – Hakanai Jun 29 '16 at 05:25

0 Answers0