[Freeipa-users] Resynchronize Samba Passwort

Simo Sorce simo at redhat.com
Tue Oct 16 22:00:04 UTC 2012 

On Tue, 2012-10-16 at 14:51 -0700, Nathan Kinder wrote:
> On 10/16/2012 02:40 PM, Simo Sorce wrote:
> > On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote:
> >> On 10/16/2012 05:21 AM, Simo Sorce wrote:
> >>> On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote:
> >>>> Am 15.10.2012 15:50, schrieb Simo Sorce:
> >>>>> On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote:
> >>>>>> Am 14.10.2012 23:14, schrieb Simo Sorce:
> >>>>>>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
> >>>>>>> Right I am ok with sambaPwdMustChange not being set. That's all good.
> >>>>>>> What about sambaPwdLastSet ?
> >>>>>> Not set when a user is created new.
> >>>>> It should be set when you give the user a password as long at the
> >>>>> sambaSamAccount objectclass is added to the user.
> >>>>>
> >>>>>> When I change the password:
> >>>>>> sambaPwdLastSet: 0
> >>>>> If this is when you set the password as an admin, it is expected.
> >>>> Ok, understood. But it should change when the user resets his/her
> >>>> password, right?
> >>>> And that is not happening.
> >>>> When the user sets his/her password the sambaPwdLastSet stays untouched.
> >>> That's odd, how does the user change the password ?
> >>>
> >>>>>> Not working with samba!
> >>>>>> Need to apply my script (see below).
> >>>>> Let me ask one thing, are you changing the password as a user ?
> >>>>> Or have you tested only setting the password as admin ?
> >>>> I set  the initial password as admin.
> >>>> Then the user logs in to a server (sssd, ssh, ipa-member) and is
> >>>> requested to change his/her password. This works but the sambaPwdLastSet
> >>>> stays untouched.
> >>> Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ?
> >>>
> >>>>> If the latter this applies:
> >>>>> http://www.freeipa.org/page/NewPasswordsExpired
> >>>> Checked it. But that was my understanding nevertheless.
> >>>>> I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign
> >>>>>
> >>>>>
> >>>>> Simo.
> >>>>>
> >>>> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
> >>>> --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign

> I think that this needs to be --setattr=assign.  The prefix should not 
> be included when specifying the magic value to trigger generation.

Nathan, you were not included in the previous mails, but options have
been tried and they seem to fail the same way (ie the actual passed in
value is stored instead of generating a new value).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list