[Freeipa-users] IPA 3.0 RHEL 6.4

Dmitri Pal dpal at redhat.com
Fri Oct 4 15:14:01 UTC 2013 

On 10/04/2013 10:34 AM, Zach Musselman wrote:
> Hello,
>
> My company is having issues with our current install of IPA on RHEL 6.4.
>
> ** We had group patches that worked with IPA 2.2.0 and allowed us to
> enter samba groups directly in the IPA web interface.  Red Hat is
> unable to confirm these patches are updated for IPA 3.0 RHEL 6.4 even
> though their Red Hat consultant created these a year ago.
>
>
> ** IPA password policy (history, length, complexity, etc.) enforcement
>
> Our current versions are not allowing the IPA password policy to work
> with Samba.  My Windows users are able to change their password either
> MANUALLY or WHEN FORCED to reset via the IPA interface.  However, non
> of the password history, length, complexity and so on are enforced
> with Samba and users are able to either keep the same password or
> change it to anything they want without restrictions.
>
>
> ** Samba password change also changing correctly the IPA expiration
> date so IPA can successfully reset the (sambaPwdLastSet: 0) value upon
> 90 days since last password change
>
> If we manually run ldapmodify and change the value of sambaPwdLastSet
> to equal 0, this correctly forces the end user to change their
> password in Windows.
>
> The issue though is their IPA password expiration date listed in the
> interface isn't correctly showing the amount of days to expire NEXT. 
> I have a test user that has a password policy of 1 day expiration.  I
> would expect this user to show an expiration date of the next day
> after password change but for some reason it always keeps showing
> about 90 days out, which is my default policy for all users.
>
> I need to be able to test that IPA is correctly expiring the password
> after 1 day so that I know in 90 days my other users will receive the
> same expiration.
>
> For most of this year password expiration was not working and IPA is
> showing a password expiration of months ago when their password should
> have expired (samba never prompted for this change).  Since we updated
> to IPA 3.0, I'm hoping that when I reset their sambaPwdLastSet to 0
> that IPA will start enforcing a 90 day expiration again.
>
>
> Any help you can provide on these issues would be greatly appreciated!
>
> Also, what would you recommend for future IPA versions and Samba? 
> Will RHEL 6.5 include a newer version of IPA that will work and
> integrate better with Samba?  Or should we start looking at other
> options that integrate our password features more as they are needed,
> like Samba 4?
>
> Thanks again!
>

Hello,

We would be glad to help you but it is unclear what kind of setup you
have. It is definitely something custom made that was created based on
your requirements and not exactly usual use case we see in the community.
So let us understand what we are talking about .
Haw are you using Samba? As a file server, as a NT style DC or you are
talking about Winbind?
If you are using FreeIPA DS as a back end DS store for Samba then this
something we did not try nor can guarantee would work between the IPA
upgrades.

Based on your comment above it looks like that you are trying to use
Windows clients with Samba NT style DC that uses IPA as its back end store.
If it is the case it is not something that we support upstream or
recommend. And the main reason is that we anticipate it to be very
fragile and hard to maintain (and your experience above proves that).

So in the current situation the best would be to understand the
requirements and see what is the best solution we can recommend based on
the tools we have.

Sorry that you went through such experience, it must be really
frustrating. We will try to help the best we can.


Thanks
Dmitri

>
> -- 
> Zach
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131004/46147fdd/attachment.htm>

More information about the Freeipa-users mailing list