[Freeipa-users] Resynchronize Samba Passwort

Fri Oct 12 11:20:41 UTC 2012

Am 11.10.2012 18:12, schrieb Simo Sorce:
> On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote:
>> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote:
>>>
>> No they are integrated in the Kerberos Domain of IPA but not joined to 
>> the samba domain.
>>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? 
> Yes, you should use "ldap passwd sync = only"
Ok, I set it as suggested.
>
>> Further testing.
>> I have a user called tuser.
>> 1. Reset the password:
>> ipaserver1 # ipa passwd tuser
>> New Password:
>> Enter New Password again to verify:
>> ------------------------------------
>> Changed password for "tuser at CL.ATIX"
>> ------------------------------------
>> 2. Login to another server via ssh:
>> $ ssh tuser at methusalix2
>> tuser at methusalix2's password:
>> Password expired. Change your password now.
>> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138
>> WARNING: Your password has expired.
>> You must change your password now and login again!
>> Changing password for user tuser.
>> Current Password:
>> New password:
>> Retype new password:
>> passwd: all authentication tokens updated successfully.
>> Connection to methusalix2 closed.
>> $ ssh tuser at methusalix2
>> tuser at methusalix2's password:
>> Permission denied, please try again.
>> tuser at methusalix2's password:
>> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138
>> -bash-4.1$
>> => SSH Login works (Kerberos PW is set).
>> 3. Let's browse Samba:
>> $ smbclient -U tuser -L methusalix2
>> Enter tuser's password:
>> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
>>
>> Any ideas what's going wrong?
> Uhmm seem one of the samba attributes has not been properly changed ...
Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set
(=0).
I adapted it on a few users and the problem with the
NT_STATUS_PASSWORD_MUST_CHANGE went away.
Still the problem is what happens when they change their password again.
It looks like ldap passwd sync=yes should normally keep track of that.
Any ideas how I can get that running?

You also mentioned that one can use ldappasswd to get Samba to change
the passwords per user.
How should this be done?
passwd program = /usr/bin/ldappasswd ??

>
> This is IPA on RHEL6.3 ?
Yes RHEL6.3 plain.
>
> Can you check if the use has the attribute sambaPwdMustChange set ?
No not anywhere. See above (sambaPwdLastSet).
> Apparently the IPA passoword plugin does not touch it.
No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it?
>
> Simo.
>
Marc.

-- 

Marc Grimme

E-Mail: grimme( at )atix.de

ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 |
85716 Unterschleissheim | www.atix.de | www.comoonics.org

Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: 
DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) |
Vorsitzender des Aufsichtsrats: Dr. Martin Buss