[Freeipa-users] Resynchronize Samba Passwort
Simo Sorce
simo at redhat.com
Sun Oct 14 21:14:01 UTC 2012
On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
> After me switching to
> ldap passwd sync = only
> I cannot see it changing the values if already set.
> But for new users it might not be set. As I have some without these
> attributes set.
> If I create a new user (say tuser2) as follows:
> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
> --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305
> -------------------
> Added user "tuser2"
> -------------------
> User login: tuser2
> First name: Test
> Last name: User2
> Full name: Test User2
> Display name: Test User2
> Initials: TU
> Home directory: /home/tuser2
> GECOS field: Test User2
> Login shell: /bin/false
> Kerberos principal: tuser2 at CL.ATIX
> UID: 473000074
> GID: 473000074
> Password: False
> Kerberos keys available: False
> # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
> sambaPwdMustChange
> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
>
> That attribute is not set.
Right I am ok with sambaPwdMustChange not being set. That's all good.
What about sambaPwdLastSet ?
> Then I'll set a temporary password:
>
> # ipa passwd tuser2
> New Password:
> Enter New Password again to verify:
> -------------------------------------
> Changed password for "tuser2 at CL.ATIX"
> -------------------------------------
>
> I'll change the temporary password:
>
> $ ssh tuser2 at methusalix2
> tuser2 at methusalix2's password:
> Password expired. Change your password now.
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user tuser2.
> Current Password:
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
> Connection to methusalix2 closed.
>
> I can login via ssh:
> $ ssh tuser2 at methusalix2
> tuser2 at methusalix2's password:
> Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix
>
> And the ldap attribute is still not set:
> # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
> sambaPwdMustChange
> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
>
> So the access via samba fails:
> $ smbclient -U tuser2 -L methusalix2 -D ATIX2
> Enter tuser2's password:
> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
>
> When I fix the attribute manually:
> # bash ~/add-sambapwdlastset2user.sh tuser2
> Wrong value. Modifying to proper one..
> SASL/GSSAPI authentication started
> SASL username: admin at CL.ATIX
> SASL SSF: 56
> SASL data security layer installed.
> modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
Which attribute are you 'fixing' ?
And how ?
Can you should me the specific attribute you are 'fixing' before/after
the password change and before/after the 'fix' ?
> I can access samba as follows:
> smbclient -U tuser2 -L methusalix2 -D ATIX2
> Enter tuser2's password:
> Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6]
>
> Sharename Type Comment
> ..
>
> So the initial setup seems to be the problem, right?
There seem to be an issue somewhere indeed, we need to narrow down to
the exact change, then I can look in the code and see what's going on in
there, as sambaPwdLastSet should be changed by the code.
> Besides:
> It also looks like the Distributed Numerica Assignment Plugin seems to
> be not working. As I always have to manually specify the SID of the user:
> ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
> --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305
See Rob's answer for this.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list