[Freeipa-users] Resynchronize Samba Passwort

Simo Sorce simo at redhat.com
Tue Oct 16 21:40:56 UTC 2012 

On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote:
> On 10/16/2012 05:21 AM, Simo Sorce wrote:
> > On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote:
> >> Am 15.10.2012 15:50, schrieb Simo Sorce:
> >>> On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote:
> >>>> Am 14.10.2012 23:14, schrieb Simo Sorce:
> >>>>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
> >>>>> Right I am ok with sambaPwdMustChange not being set. That's all good.
> >>>>> What about sambaPwdLastSet ?
> >>>> Not set when a user is created new.
> >>> It should be set when you give the user a password as long at the
> >>> sambaSamAccount objectclass is added to the user.
> >>>
> >>>> When I change the password:
> >>>> sambaPwdLastSet: 0
> >>> If this is when you set the password as an admin, it is expected.
> >> Ok, understood. But it should change when the user resets his/her
> >> password, right?
> >> And that is not happening.
> >> When the user sets his/her password the sambaPwdLastSet stays untouched.
> > That's odd, how does the user change the password ?
> >
> >>>> Not working with samba!
> >>>> Need to apply my script (see below).
> >>> Let me ask one thing, are you changing the password as a user ?
> >>> Or have you tested only setting the password as admin ?
> >> I set  the initial password as admin.
> >> Then the user logs in to a server (sssd, ssh, ipa-member) and is
> >> requested to change his/her password. This works but the sambaPwdLastSet
> >> stays untouched.
> > Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ?
> >
> >>> If the latter this applies:
> >>> http://www.freeipa.org/page/NewPasswordsExpired
> >> Checked it. But that was my understanding nevertheless.
> >>> I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign
> >>>
> >>>
> >>> Simo.
> >>>
> >> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
> >> --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign
> >> -------------------
> >> Added user "tuser2"
> >> -------------------
> >>    User login: tuser2
> >>    First name: Test
> >>    Last name: User2
> >>    Full name: Test User2
> >>    Display name: Test User2
> >>    Initials: TU
> >>    Home directory: /home/tuser2
> >>    GECOS field: Test User2
> >>    Login shell: /bin/false
> >>    Kerberos principal: tuser2 at CL.ATIX
> >>    UID: 473000078
> >>    GID: 473000078
> >>    Password: False
> >>    Kerberos keys available: False
> >> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
> >> sambaSID
> >> SASL/GSSAPI authentication started
> >> SASL username: admin at CL.ATIX
> >> SASL SSF: 56
> >> SASL data security layer installed.
> >> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
> >> sambaSID: S-1-5-21-xx-xx-xx-assign
> >>
> >> The following objectclasses are being set when creating a new user:
> >> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
> >> objectClass
> >> SASL/GSSAPI authentication started
> >> SASL username: admin at CL.ATIX
> >> SASL SSF: 56
> >> SASL data security layer installed.
> >> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
> >> objectClass: top
> >> objectClass: person
> >> objectClass: organizationalperson
> >> objectClass: inetorgperson
> >> objectClass: inetuser
> >> objectClass: posixaccount
> >> objectClass: krbprincipalaux
> >> objectClass: krbticketpolicyaux
> >> objectClass: ipaobject
> >> objectClass: sambaSAMAccount
> >> objectClass: ipasshuser
> >> objectClass: ipaSshGroupOfPubKeys
> >> objectClass: mepOriginEntry
> >>
> >> Thanks for your help
> > Seem like a DNA bug ... then,
> >
> > Nathan do you have any idea ?
> What DNA configuration is used?

>From a previous mail this look to be the config.

Marc is this still correct ?

Although my configurations looks ok, doesn't it?
# ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W
Enter LDAP Password:
dn: cn=SambaSid,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnaprefix: S-1-5-21-1310149461-105972258-
dnainterval: 1
dnamagicregen: assign
dnafilter:
(|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
dnascope: dc=atix,dc=cl
cn: SambaSid
dnanextvalue: 15400

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list