How to Change Windows Active Directory Password from Linux Using LDAP and Kerberos


2 views

When working in mixed Windows-Linux environments, administrators often need to change Active Directory passwords from Linux systems. This typically occurs in DevOps scenarios or when managing hybrid infrastructure.

Before proceeding, ensure you have:

  • Linux system with Python 3.x installed
  • Proper network connectivity to domain controllers
  • Valid AD user credentials (for authentication)
  • LDAP and Kerberos libraries installed

The simplest approach uses the ldappasswd utility from openldap:


ldappasswd \
-H ldap://your.domain.controller \
-x -D "CN=user,OU=Users,DC=domain,DC=com" \
-w oldpassword -a oldpassword \
-s newpassword

For more control, use Python with the python-ldap module:


import ldap

def change_ad_password(username, old_pass, new_pass, domain):
    ldap_server = f"ldap://{domain}"
    base_dn = "DC=domain,DC=com"
    user_dn = f"CN={username},{base_dn}"
    
    try:
        conn = ldap.initialize(ldap_server)
        conn.simple_bind_s(user_dn, old_pass)
        
        mod_list = [
            (ldap.MOD_REPLACE, "unicodePwd", [new_pass.encode('utf-16-le')])
        ]
        
        conn.modify_s(user_dn, mod_list)
        print("Password changed successfully")
    except ldap.LDAPError as e:
        print(f"Error changing password: {e}")
    finally:
        conn.unbind()

change_ad_password("testuser", "OldPass123!", "NewPass456!", "ad.domain.com")

For environments requiring Kerberos authentication:


kinit username@DOMAIN.COM
echo -e "oldpassword\nnewpassword\nnewpassword" | kpasswd
  • LDAPS Requirement: Some organizations enforce LDAPS (port 636)
  • Password Complexity: Ensure new password meets AD requirements
  • Time Synchronization: Kerberos requires time sync within 5 minutes
  • Firewall Rules: Verify ports 389/636 are open to domain controllers

Always:

  • Use encrypted connections (LDAPS or StartTLS)
  • Never hardcode passwords in scripts
  • Implement proper error handling
  • Consider using service accounts with minimal privileges

When working in mixed OS environments, changing Active Directory passwords from Linux machines becomes a common requirement for sysadmins and developers. While Windows provides native tools for this purpose, Linux requires specific approaches using either LDAP protocols or Samba utilities.

The most direct approach involves using ldapmodify with proper authentication. Here's a complete example:


# Install required packages
sudo apt-get install ldap-utils

# Command to change password
ldapmodify -H ldap://your.domain.controller \
           -D "cn=admin,dc=domain,dc=com" \
           -w adminpassword \
           -x <

For environments with Samba integration, this method works well:


# Install Samba client tools
sudo apt-get install samba-common-bin

# Execute password change
smbpasswd -r domaincontroller -U username

For automation purposes, here's a Python solution:


from ldap3 import Server, Connection, ALL, MODIFY_REPLACE
import hashlib

server = Server('ldap://domaincontroller', get_info=ALL)
conn = Connection(server, user='DOMAIN\\adminuser', password='adminpass', auto_bind=True)

new_password = 'NewSecurePass1!'
unicode_pass = ('"%s"' % new_password).encode('utf-16-le')

conn.modify('cn=targetuser,ou=users,dc=domain,dc=com',
            {'unicodePwd': [(MODIFY_REPLACE, [unicode_pass])]})
  • SSL/TLS Errors: Always verify your domain controller's certificate
  • Password Policy Rejections: Ensure new passwords meet complexity requirements
  • Firewall Blocks: Verify ports 389 (LDAP) or 636 (LDAPS) are open

When implementing any of these methods:

  • Never store credentials in plaintext scripts
  • Use encrypted connections (LDAPS instead of LDAP)
  • Consider using Kerberos authentication when available
  • Implement proper error handling in your scripts