[Freeipa-users] IPA 3.0 RHEL 6.4

Zach Musselman mussz624 at robertmorris.edu
Fri Oct 4 14:34:28 UTC 2013 

Hello,

My company is having issues with our current install of IPA on RHEL 6.4.

** We had group patches that worked with IPA 2.2.0 and allowed us to enter
samba groups directly in the IPA web interface.  Red Hat is unable to
confirm these patches are updated for IPA 3.0 RHEL 6.4 even though their
Red Hat consultant created these a year ago.


** IPA password policy (history, length, complexity, etc.) enforcement

Our current versions are not allowing the IPA password policy to work with
Samba.  My Windows users are able to change their password either MANUALLY
or WHEN FORCED to reset via the IPA interface.  However, non of the
password history, length, complexity and so on are enforced with Samba and
users are able to either keep the same password or change it to anything
they want without restrictions.


** Samba password change also changing correctly the IPA expiration date so
IPA can successfully reset the (sambaPwdLastSet: 0) value upon 90 days
since last password change

If we manually run ldapmodify and change the value of sambaPwdLastSet to
equal 0, this correctly forces the end user to change their password in
Windows.

The issue though is their IPA password expiration date listed in the
interface isn't correctly showing the amount of days to expire NEXT.  I
have a test user that has a password policy of 1 day expiration.  I would
expect this user to show an expiration date of the next day after password
change but for some reason it always keeps showing about 90 days out, which
is my default policy for all users.

I need to be able to test that IPA is correctly expiring the password after
1 day so that I know in 90 days my other users will receive the same
expiration.

For most of this year password expiration was not working and IPA is
showing a password expiration of months ago when their password should have
expired (samba never prompted for this change).  Since we updated to IPA
3.0, I'm hoping that when I reset their sambaPwdLastSet to 0 that IPA will
start enforcing a 90 day expiration again.


Any help you can provide on these issues would be greatly appreciated!

Also, what would you recommend for future IPA versions and Samba?  Will
RHEL 6.5 include a newer version of IPA that will work and integrate better
with Samba?  Or should we start looking at other options that integrate our
password features more as they are needed, like Samba 4?

Thanks again!


-- 
Zach
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131004/7516aa01/attachment.htm>

More information about the Freeipa-users mailing list