[Freeipa-users] Resynchronize Samba Passwort
Simo Sorce
simo at redhat.com
Tue Oct 16 12:21:25 UTC 2012
On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote:
> Am 15.10.2012 15:50, schrieb Simo Sorce:
> > On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote:
> >> Am 14.10.2012 23:14, schrieb Simo Sorce:
> >>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
> >>> Right I am ok with sambaPwdMustChange not being set. That's all good.
> >>> What about sambaPwdLastSet ?
> >> Not set when a user is created new.
> > It should be set when you give the user a password as long at the
> > sambaSamAccount objectclass is added to the user.
> >
> >> When I change the password:
> >> sambaPwdLastSet: 0
> > If this is when you set the password as an admin, it is expected.
> Ok, understood. But it should change when the user resets his/her
> password, right?
> And that is not happening.
> When the user sets his/her password the sambaPwdLastSet stays untouched.
That's odd, how does the user change the password ?
> >> Not working with samba!
> >> Need to apply my script (see below).
> > Let me ask one thing, are you changing the password as a user ?
> > Or have you tested only setting the password as admin ?
> I set the initial password as admin.
> Then the user logs in to a server (sssd, ssh, ipa-member) and is
> requested to change his/her password. This works but the sambaPwdLastSet
> stays untouched.
Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ?
> > If the latter this applies:
> > http://www.freeipa.org/page/NewPasswordsExpired
> Checked it. But that was my understanding nevertheless.
> >
> > I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign
> >
> >
> > Simo.
> >
> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
> --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign
> -------------------
> Added user "tuser2"
> -------------------
> User login: tuser2
> First name: Test
> Last name: User2
> Full name: Test User2
> Display name: Test User2
> Initials: TU
> Home directory: /home/tuser2
> GECOS field: Test User2
> Login shell: /bin/false
> Kerberos principal: tuser2 at CL.ATIX
> UID: 473000078
> GID: 473000078
> Password: False
> Kerberos keys available: False
> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
> sambaSID
> SASL/GSSAPI authentication started
> SASL username: admin at CL.ATIX
> SASL SSF: 56
> SASL data security layer installed.
> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
> sambaSID: S-1-5-21-xx-xx-xx-assign
>
> The following objectclasses are being set when creating a new user:
> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
> objectClass
> SASL/GSSAPI authentication started
> SASL username: admin at CL.ATIX
> SASL SSF: 56
> SASL data security layer installed.
> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: sambaSAMAccount
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
>
> Thanks for your help
Seem like a DNA bug ... then,
Nathan do you have any idea ?
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list