[Freeipa-users] IPA 3.0 RHEL 6.4

[Rob Crittenden]

Zach Musselman wrote:
> Hello,
>
> My company is having issues with our current install of IPA on RHEL 6.4.
>
> ** We had group patches that worked with IPA 2.2.0 and allowed us to
> enter samba groups directly in the IPA web interface.  Red Hat is unable
> to confirm these patches are updated for IPA 3.0 RHEL 6.4 even though
> their Red Hat consultant created these a year ago.

I'm not clear what you mean by updated for IPA 3.0. Are you asking the 
patches to be rebased?

It is also unclear if things were working properly with 2.2.0 and broke 
with 3.0, or if these things never worked, or something else.

>
> ** IPA password policy (history, length, complexity, etc.) enforcement
>
> Our current versions are not allowing the IPA password policy to work
> with Samba.  My Windows users are able to change their password either
> MANUALLY or WHEN FORCED to reset via the IPA interface.  However, non of
> the password history, length, complexity and so on are enforced with
> Samba and users are able to either keep the same password or change it
> to anything they want without restrictions.

Can you be more specific about where the password changes are happening? 
What do mean by manually? Changing it via the UI should apply password 
policy because that is really independent of any Samba changes that have 
been made.

>
> ** Samba password change also changing correctly the IPA expiration date
> so IPA can successfully reset the (sambaPwdLastSet: 0) value upon 90
> days since last password change
>
> If we manually run ldapmodify and change the value of sambaPwdLastSet to
> equal 0, this correctly forces the end user to change their password in
> Windows.
>
> The issue though is their IPA password expiration date listed in the
> interface isn't correctly showing the amount of days to expire NEXT.  I
> have a test user that has a password policy of 1 day expiration.  I
> would expect this user to show an expiration date of the next day after
> password change but for some reason it always keeps showing about 90
> days out, which is my default policy for all users.
>
> I need to be able to test that IPA is correctly expiring the password
> after 1 day so that I know in 90 days my other users will receive the
> same expiration.
>
> For most of this year password expiration was not working and IPA is
> showing a password expiration of months ago when their password should
> have expired (samba never prompted for this change).  Since we updated
> to IPA 3.0, I'm hoping that when I reset their sambaPwdLastSet to 0 that
> IPA will start enforcing a 90 day expiration again.

I don't really know much about how Windows/Samba does password 
expiration, but IPA has no process to look at the last set date, compare 
that to the policy, and reset sambaPwdLastSet. Is that what you're 
expecting?

>
> Any help you can provide on these issues would be greatly appreciated!
>
> Also, what would you recommend for future IPA versions and Samba?  Will
> RHEL 6.5 include a newer version of IPA that will work and integrate
> better with Samba?  Or should we start looking at other options that
> integrate our password features more as they are needed, like Samba 4?

There are no Samba integration changes made that I know of.

rob