[Freeipa-users] Resynchronize Samba Passwort
Nathan Kinder
nkinder at redhat.com
Tue Oct 16 21:22:10 UTC 2012
On 10/16/2012 05:21 AM, Simo Sorce wrote:
> On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote:
>> Am 15.10.2012 15:50, schrieb Simo Sorce:
>>> On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote:
>>>> Am 14.10.2012 23:14, schrieb Simo Sorce:
>>>>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
>>>>> Right I am ok with sambaPwdMustChange not being set. That's all good.
>>>>> What about sambaPwdLastSet ?
>>>> Not set when a user is created new.
>>> It should be set when you give the user a password as long at the
>>> sambaSamAccount objectclass is added to the user.
>>>
>>>> When I change the password:
>>>> sambaPwdLastSet: 0
>>> If this is when you set the password as an admin, it is expected.
>> Ok, understood. But it should change when the user resets his/her
>> password, right?
>> And that is not happening.
>> When the user sets his/her password the sambaPwdLastSet stays untouched.
> That's odd, how does the user change the password ?
>
>>>> Not working with samba!
>>>> Need to apply my script (see below).
>>> Let me ask one thing, are you changing the password as a user ?
>>> Or have you tested only setting the password as admin ?
>> I set the initial password as admin.
>> Then the user logs in to a server (sssd, ssh, ipa-member) and is
>> requested to change his/her password. This works but the sambaPwdLastSet
>> stays untouched.
> Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ?
>
>>> If the latter this applies:
>>> http://www.freeipa.org/page/NewPasswordsExpired
>> Checked it. But that was my understanding nevertheless.
>>> I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign
>>>
>>>
>>> Simo.
>>>
>> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
>> --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign
>> -------------------
>> Added user "tuser2"
>> -------------------
>> User login: tuser2
>> First name: Test
>> Last name: User2
>> Full name: Test User2
>> Display name: Test User2
>> Initials: TU
>> Home directory: /home/tuser2
>> GECOS field: Test User2
>> Login shell: /bin/false
>> Kerberos principal: tuser2 at CL.ATIX
>> UID: 473000078
>> GID: 473000078
>> Password: False
>> Kerberos keys available: False
>> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
>> sambaSID
>> SASL/GSSAPI authentication started
>> SASL username: admin at CL.ATIX
>> SASL SSF: 56
>> SASL data security layer installed.
>> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
>> sambaSID: S-1-5-21-xx-xx-xx-assign
>>
>> The following objectclasses are being set when creating a new user:
>> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
>> objectClass
>> SASL/GSSAPI authentication started
>> SASL username: admin at CL.ATIX
>> SASL SSF: 56
>> SASL data security layer installed.
>> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetorgperson
>> objectClass: inetuser
>> objectClass: posixaccount
>> objectClass: krbprincipalaux
>> objectClass: krbticketpolicyaux
>> objectClass: ipaobject
>> objectClass: sambaSAMAccount
>> objectClass: ipasshuser
>> objectClass: ipaSshGroupOfPubKeys
>> objectClass: mepOriginEntry
>>
>> Thanks for your help
> Seem like a DNA bug ... then,
>
> Nathan do you have any idea ?
What DNA configuration is used?
-NGK
>
More information about the Freeipa-users
mailing list