<div dir="ltr">Hi Loris,<div><br></div><div>Thanks for the quick and informational response.</div><div><br></div><div>I'm going to ask for a little hand holding here. I'm not well versed in LDAP or IPA.</div><div>
********************************************************************************************</div><div><br></div><div>>>>>>>>> How would I use ldapsearch to check that this value is correctly set already? I have already set "ldap passwd sync = only in smb.conf" as recommended by our Red Hat Consultant.</div>
<div><br></div><div>>>>>>>>> Where can I find that patch that is needed to correctly set the sambaPwdLastSet attribute?</div><div><br></div><div><br></div><div><span style="font-family:arial,sans-serif;font-size:13px"> To have some correspondence between IPA password policies and samba</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> password policies you need to:</span><br style="font-family:arial,sans-serif;font-size:13px"><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> 1. Create a sufficiently privileged "bind user" in ipa and have</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> samba connect to IPA using that "bind user". For example</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> uid=sambaadmin,cn=sysaccounts,</span><span style="font-family:arial,sans-serif;font-size:13px">cn=etc,dc=example,dc=com</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> 2. To have password changes in windows work as normal user password</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> changes (instead of password resets) you must add the above</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> "bind user" to the "passsyncmanagersdn" attribute of the</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> ipa_pwd_extop plugin configuration. Similar to what is explained</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> here:</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> </span><a href="http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server.html" target="_blank" style="font-family:arial,sans-serif;font-size:13px">http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server.html</a><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> 3. Samba should not mess with password expiration attributes in</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> ldap, so you should set "ldap passwd sync = only" in smb.conf</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> 4. You need a small patch in the ipa_pwd_extop plugin to have it</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> set the sambaPwdLastSet attributes on password changes</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px"> 5. Samba password policies (Maximum password duration, minimum</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px"> password duration) should match the IPA password policies</span><br>
</div><div><br></div><div><br></div><div><br></div><div>>>>>>>>>> Below are the patches I received from our Red Hat consultant. Is this similar to what your talking about?</div><div><br></div>
<div><br></div><div>------------------------------------------------------------------------------------------------------------------------------------------------------------------------------</div><div><br></div><div><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">
--- group.js.orig 2012-06-25 11:59:02.789096058 -0700
+++ group.js 2012-06-25 12:02:47.669143612 -0700
@@ -37,7 +37,8 @@
columns: [
'cn',
'gidnumber',
- 'description'
+ 'description',
+ 'sambagrouptype'
]
}).
details_facet({
@@ -50,7 +51,8 @@
type: 'textarea',
name: 'description'
},
- 'gidnumber'
+ 'gidnumber',
+ 'sambagrouptype'
]
}
]
@@ -116,6 +118,14 @@
label: IPA.messages.objects.group.posix,
checked: true
},
+ {
+ factory: IPA.select_widget,
+ name: 'sambagrouptype',
+ label: IPA.messages.objects.group.sambagrouptype,
+ options: [
+ {label: 'Domain', value: 2},
+ {label: 'Local', value: 4}]
+ },
'gidnumber'
]
});</pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><br></pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><br></pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap">
----------------------------------------------------------------------------------------------------------------------------</pre><pre style="color:rgb(0,0,0);word-wrap:break-word;white-space:pre-wrap"><pre style="word-wrap:break-word;white-space:pre-wrap">
--- group.py.orig 2012-06-25 12:06:13.265838223 -0700
+++ group.py 2012-06-25 12:06:19.513906111 -0700
@@ -102,7 +102,7 @@
takes_params = (
Str('cn',
- pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
+ pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_. -]{0,252}[a-zA-Z0-9_.$-]?$',
pattern_errmsg='may only include letters, numbers, _, -, . and $',
maxlength=255,
cli_name='group_name',
@@ -121,6 +121,13 @@
doc=_('GID (use this option to set it manually)'),
minvalue=1,
),
+ Int('sambagrouptype',
+ cli_name='sgt',
+ label=_('Samba Group Type'),
+ doc=_('Samba Group Type (default is 2)'),
+ default=2,
+ autofill=True,
+ ),
)
api.register(group)</pre><pre style="word-wrap:break-word;white-space:pre-wrap"><br></pre><pre style="word-wrap:break-word;white-space:pre-wrap">---------------------------------------------------------------------------------------------------------------------------------------</pre>
</pre></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Oct 8, 2013 at 12:15 PM, Loris Santamaria <span dir="ltr"><<a href="mailto:loris@lgs.com.ve" target="_blank">loris@lgs.com.ve</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">El mar, 08-10-2013 a las 09:25 -0500, Zachary Musselman escribió:<br>
<div class="im">> Hello Dmitri,<br>
><br>
><br>
> We are currently using Samba as a file server and a DC with NT style<br>
> domain for our Windows clients. IPA is the password backend for<br>
> Samba.<br>
><br>
><br>
> Our Red Hat consultant originally had the following items working when<br>
> this system was installed last year.<br>
><br>
><br>
> ** Ability to add groups in the IPA web interface for samba<br>
><br>
><br>
> I have these patches and need to make sure that they work with IPA 3.0<br>
> and RHEL 6.4 before I apply them.<br>
<br>
</div>Those patches surely could be adapted without much work. The web<br>
interface for groups has not changed much between IPA 2.2 and 3.0<br>
<br>
Anyway, there is not a real need to patch the web interface to have IPA<br>
add the objectClasses (sambaGroupMapping) and attributes (sambaSID and<br>
sambaGroupType) required by Samba. I've done this for some customers<br>
adding a DNA plugin configuration for sambaSID and extending the IPA<br>
group object to add the objectclass and sambagrouptype, as explained in<br>
<a href="http://abbra.fedorapeople.org/guide.html#sec-4" target="_blank">http://abbra.fedorapeople.org/guide.html#sec-4</a>. No need to patch the Web<br>
UI here.<br>
<div class="im"><br>
> ** We have a default password policy of 90 days expiration. This<br>
> policy also has complexity, history, length, etc.<br>
><br>
><br>
> Early this year that 90 day expiration stopped working and my Windows<br>
> users were no longer receiving a "must change password" notice. We<br>
> were hoping the update to RHEL 6.4 and IPA 3.0 would fix this but it<br>
> has not. Currently my users are showing an EXPIRATION in IPA of<br>
> June/July or so time frame. Back in April we manually changed all<br>
> user's passwords to a temporary. That prompted them to login and<br>
> change their password, hoping this would kickstart the 90 day<br>
> expiration again. That was NOT successful.<br>
><br>
><br>
> At a MINIMUM we are needing to correctly have IPA expire a user's<br>
> password and allow Samba to understand that as well based on the<br>
> password policy IPA shows for a given user.<br>
<br>
</div>To have some correspondence between IPA password policies and samba<br>
password policies you need to:<br>
<br>
1. Create a sufficiently privileged "bind user" in ipa and have<br>
samba connect to IPA using that "bind user". For example<br>
uid=sambaadmin,cn=sysaccounts,cn=etc,dc=example,dc=com<br>
2. To have password changes in windows work as normal user password<br>
changes (instead of password resets) you must add the above<br>
"bind user" to the "passsyncmanagersdn" attribute of the<br>
ipa_pwd_extop plugin configuration. Similar to what is explained<br>
here:<br>
<a href="http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server.html" target="_blank">http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server.html</a><br>
3. Samba should not mess with password expiration attributes in<br>
ldap, so you should set "ldap passwd sync = only" in smb.conf<br>
4. You need a small patch in the ipa_pwd_extop plugin to have it<br>
set the sambaPwdLastSet attributes on password changes<br>
5. Samba password policies (Maximum password duration, minimum<br>
password duration) should match the IPA password policies<br>
<br>
At least that is the route we took with customers and it has worked<br>
fairly well.<br>
<div class="im"><br>
> I have a test user who has a 2nd password policy we created. That<br>
> users has 1 day expiration within IPA. When I change the following<br>
> value using ldapmodify, It CORRECTLY makes Samba prompt the user to<br>
> change their password when logging in the next time. When I change<br>
> this test password, IPA reset's the EXPIRATION DATE to 90 days out and<br>
> not 1 day from the time password was changed.<br>
<br>
</div>Probably samba is connecting to IPA with an admin user and password<br>
changes work end being don by IPA as password resets. See point 2 above<br>
<div class="im"><br>
> A third item we need fixed if possible, is the ability to enforce<br>
> password complexity, history, length, etc. through Samba based on what<br>
> IPA shows for a user's password policy. I cannot confirm if this WAS<br>
> working or not after it was initially installed. I guess you or Rob<br>
> would be the individuals who could tell me what is possible to enable<br>
> this feature.<br>
<br>
</div>We've done it manually (with pdbedit -P) and after that everything works<br>
ok, password history, password length, password duration and complexity,<br>
all match between samba and IPA.<br>
<br>
Hope it helps.<br>
<div><div class="h5"><br>
<br>
> On Fri, Oct 4, 2013 at 9:56 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> wrote:<br>
> Zach Musselman wrote:<br>
> Hello,<br>
><br>
> My company is having issues with our current install<br>
> of IPA on RHEL 6.4.<br>
><br>
> ** We had group patches that worked with IPA 2.2.0 and<br>
> allowed us to<br>
> enter samba groups directly in the IPA web interface.<br>
> Red Hat is unable<br>
> to confirm these patches are updated for IPA 3.0 RHEL<br>
> 6.4 even though<br>
> their Red Hat consultant created these a year ago.<br>
><br>
> I'm not clear what you mean by updated for IPA 3.0. Are you<br>
> asking the patches to be rebased?<br>
><br>
> It is also unclear if things were working properly with 2.2.0<br>
> and broke with 3.0, or if these things never worked, or<br>
> something else.<br>
><br>
><br>
> ** IPA password policy (history, length, complexity,<br>
> etc.) enforcement<br>
><br>
> Our current versions are not allowing the IPA password<br>
> policy to work<br>
> with Samba. My Windows users are able to change their<br>
> password either<br>
> MANUALLY or WHEN FORCED to reset via the IPA<br>
> interface. However, non of<br>
> the password history, length, complexity and so on are<br>
> enforced with<br>
> Samba and users are able to either keep the same<br>
> password or change it<br>
> to anything they want without restrictions.<br>
><br>
> Can you be more specific about where the password changes are<br>
> happening? What do mean by manually? Changing it via the UI<br>
> should apply password policy because that is really<br>
> independent of any Samba changes that have been made.<br>
><br>
><br>
> ** Samba password change also changing correctly the<br>
> IPA expiration date<br>
> so IPA can successfully reset the (sambaPwdLastSet: 0)<br>
> value upon 90<br>
> days since last password change<br>
><br>
> If we manually run ldapmodify and change the value of<br>
> sambaPwdLastSet to<br>
> equal 0, this correctly forces the end user to change<br>
> their password in<br>
> Windows.<br>
><br>
> The issue though is their IPA password expiration date<br>
> listed in the<br>
> interface isn't correctly showing the amount of days<br>
> to expire NEXT. I<br>
> have a test user that has a password policy of 1 day<br>
> expiration. I<br>
> would expect this user to show an expiration date of<br>
> the next day after<br>
> password change but for some reason it always keeps<br>
> showing about 90<br>
> days out, which is my default policy for all users.<br>
><br>
> I need to be able to test that IPA is correctly<br>
> expiring the password<br>
> after 1 day so that I know in 90 days my other users<br>
> will receive the<br>
> same expiration.<br>
><br>
> For most of this year password expiration was not<br>
> working and IPA is<br>
> showing a password expiration of months ago when their<br>
> password should<br>
> have expired (samba never prompted for this change).<br>
> Since we updated<br>
> to IPA 3.0, I'm hoping that when I reset their<br>
> sambaPwdLastSet to 0 that<br>
> IPA will start enforcing a 90 day expiration again.<br>
><br>
> I don't really know much about how Windows/Samba does password<br>
> expiration, but IPA has no process to look at the last set<br>
> date, compare that to the policy, and reset sambaPwdLastSet.<br>
> Is that what you're expecting?<br>
><br>
><br>
> Any help you can provide on these issues would be<br>
> greatly appreciated!<br>
><br>
> Also, what would you recommend for future IPA versions<br>
> and Samba? Will<br>
> RHEL 6.5 include a newer version of IPA that will work<br>
> and integrate<br>
> better with Samba? Or should we start looking at<br>
> other options that<br>
> integrate our password features more as they are<br>
> needed, like Samba 4?<br>
><br>
> There are no Samba integration changes made that I know of.<br>
><br>
> rob<br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Loris Santamaria linux user #70506 <a href="mailto:xmpp%3Aloris@lgs.com.ve">xmpp:loris@lgs.com.ve</a><br>
Links Global Services, C.A. <a href="http://www.lgs.com.ve" target="_blank">http://www.lgs.com.ve</a><br>
Tel: 0286 952.06.87 Cel: 0414 095.00.10 <a href="mailto:sip%3A103@lgs.com.ve">sip:103@lgs.com.ve</a><br>
------------------------------------------------------------<br>
"If I'd asked my customers what they wanted, they'd have said<br>
a faster horse" - Henry Ford<br>
</font></span></blockquote></div><br></div>