[Freeipa-users] IPA 3.0 RHEL 6.4
Loris Santamaria
loris at lgs.com.ve
Wed Oct 9 18:28:43 UTC 2013
El mar, 08-10-2013 a las 12:55 -0500, Zachary Musselman escribió:
> Hi Loris,
>
>
> Thanks for the quick and informational response.
>
>
> I'm going to ask for a little hand holding here. I'm not well versed
> in LDAP or IPA.
> ********************************************************************************************
>
>
> >>>>>>>> How would I use ldapsearch to check that this value is
> correctly set already? I have already set "ldap passwd sync = only in
> smb.conf" as recommended by our Red Hat Consultant.
With a simple ldapsearch:
ldapsearch -x -D "cn=Directory Manager" -W -b cn=config cn=ipa_pwd_extop
> >>>>>>>> Where can I find that patch that is needed to correctly set
> the sambaPwdLastSet attribute?
Looking back at the code I see that ipa_pwd_extop already sets the
sambaPwdLastSet attribute if the user has the sambaSamAccount
objectClass, thus the patch is simply this:
--- freeipa-2.1.3/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c.orig 2012-06-29 11:33:14.578905152 -0430
+++ freeipa-2.1.3/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c 2012-06-29 15:21:49.228789490 -0430
@@ -440,7 +440,7 @@
for (i = 0; i < krbcfg->num_passsync_mgrs; i++) {
if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) {
- pwdata.changetype = IPA_CHANGETYPE_DSMGR;
+ pwdata.changetype = IPA_CHANGETYPE_NORMAL;
break;
}
}
Please note that this patch is for ipa 2.2 but it shouldn't be difficult
to adapt it to ipa 3.0. What the patch does is manage password changes
by samba as normal user password changes as to enforce password
policies.
As the patch is (ab)using the "Passsync Managers" feature of
ipa_pwd_extop I wouldn't recommend its use if you have a user
synchronization agreement with Active Directory
Best regards
> To have some correspondence between IPA password policies and
> samba
> password policies you need to:
>
> 1. Create a sufficiently privileged "bind user" in ipa and have
> samba connect to IPA using that "bind user". For example
> uid=sambaadmin,cn=sysaccounts,cn=etc,dc=example,dc=com
> 2. To have password changes in windows work as normal user
> password
> changes (instead of password resets) you must add the above
> "bind user" to the "passsyncmanagersdn" attribute of the
> ipa_pwd_extop plugin configuration. Similar to what is
> explained
> here:
>
> http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server.html
> 3. Samba should not mess with password expiration attributes in
> ldap, so you should set "ldap passwd sync = only" in smb.conf
> 4. You need a small patch in the ipa_pwd_extop plugin to have it
> set the sambaPwdLastSet attributes on password changes
> 5. Samba password policies (Maximum password duration, minimum
> password duration) should match the IPA password policies
>
>
>
>
>
>
>
> >>>>>>>>> Below are the patches I received from our Red Hat
> consultant. Is this similar to what your talking about?
>
>
>
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> --- group.js.orig 2012-06-25 11:59:02.789096058 -0700
> +++ group.js 2012-06-25 12:02:47.669143612 -0700
> @@ -37,7 +37,8 @@
> columns: [
> 'cn',
> 'gidnumber',
> - 'description'
> + 'description',
> + 'sambagrouptype'
> ]
> }).
> details_facet({
> @@ -50,7 +51,8 @@
> type: 'textarea',
> name: 'description'
> },
> - 'gidnumber'
> + 'gidnumber',
> + 'sambagrouptype'
> ]
> }
> ]
> @@ -116,6 +118,14 @@
> label: IPA.messages.objects.group.posix,
> checked: true
> },
> + {
> + factory: IPA.select_widget,
> + name: 'sambagrouptype',
> + label: IPA.messages.objects.group.sambagrouptype,
> + options: [
> + {label: 'Domain', value: 2},
> + {label: 'Local', value: 4}]
> + },
> 'gidnumber'
> ]
> });
>
>
> ----------------------------------------------------------------------------------------------------------------------------
>
> --- group.py.orig 2012-06-25 12:06:13.265838223 -0700
> +++ group.py 2012-06-25 12:06:19.513906111 -0700
> @@ -102,7 +102,7 @@
>
> takes_params = (
> Str('cn',
> - pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$',
> + pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_. -]{0,252}[a-zA-Z0-9_.$-]?$',
> pattern_errmsg='may only include letters, numbers, _, -, . and $',
> maxlength=255,
> cli_name='group_name',
> @@ -121,6 +121,13 @@
> doc=_('GID (use this option to set it manually)'),
> minvalue=1,
> ),
> + Int('sambagrouptype',
> + cli_name='sgt',
> + label=_('Samba Group Type'),
> + doc=_('Samba Group Type (default is 2)'),
> + default=2,
> + autofill=True,
> + ),
> )
>
> api.register(group)
>
> ---------------------------------------------------------------------------------------------------------------------------------------
>
>
>
> On Tue, Oct 8, 2013 at 12:15 PM, Loris Santamaria <loris at lgs.com.ve>
> wrote:
> El mar, 08-10-2013 a las 09:25 -0500, Zachary Musselman
> escribió:
> > Hello Dmitri,
> >
> >
> > We are currently using Samba as a file server and a DC with
> NT style
> > domain for our Windows clients. IPA is the password backend
> for
> > Samba.
> >
> >
> > Our Red Hat consultant originally had the following items
> working when
> > this system was installed last year.
> >
> >
> > ** Ability to add groups in the IPA web interface for samba
> >
> >
> > I have these patches and need to make sure that they work
> with IPA 3.0
> > and RHEL 6.4 before I apply them.
>
>
> Those patches surely could be adapted without much work. The
> web
> interface for groups has not changed much between IPA 2.2 and
> 3.0
>
> Anyway, there is not a real need to patch the web interface to
> have IPA
> add the objectClasses (sambaGroupMapping) and attributes
> (sambaSID and
> sambaGroupType) required by Samba. I've done this for some
> customers
> adding a DNA plugin configuration for sambaSID and extending
> the IPA
> group object to add the objectclass and sambagrouptype, as
> explained in
> http://abbra.fedorapeople.org/guide.html#sec-4. No need to
> patch the Web
> UI here.
>
> > ** We have a default password policy of 90 days expiration.
> This
> > policy also has complexity, history, length, etc.
> >
> >
> > Early this year that 90 day expiration stopped working and
> my Windows
> > users were no longer receiving a "must change password"
> notice. We
> > were hoping the update to RHEL 6.4 and IPA 3.0 would fix
> this but it
> > has not. Currently my users are showing an EXPIRATION in
> IPA of
> > June/July or so time frame. Back in April we manually
> changed all
> > user's passwords to a temporary. That prompted them to
> login and
> > change their password, hoping this would kickstart the 90
> day
> > expiration again. That was NOT successful.
> >
> >
> > At a MINIMUM we are needing to correctly have IPA expire a
> user's
> > password and allow Samba to understand that as well based on
> the
> > password policy IPA shows for a given user.
>
>
> To have some correspondence between IPA password policies and
> samba
> password policies you need to:
>
> 1. Create a sufficiently privileged "bind user" in ipa
> and have
> samba connect to IPA using that "bind user". For
> example
> uid=sambaadmin,cn=sysaccounts,cn=etc,dc=example,dc=com
> 2. To have password changes in windows work as normal
> user password
> changes (instead of password resets) you must add the
> above
> "bind user" to the "passsyncmanagersdn" attribute of
> the
> ipa_pwd_extop plugin configuration. Similar to what is
> explained
> here:
>
> http://www.freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server.html
> 3. Samba should not mess with password expiration
> attributes in
> ldap, so you should set "ldap passwd sync = only" in
> smb.conf
> 4. You need a small patch in the ipa_pwd_extop plugin to
> have it
> set the sambaPwdLastSet attributes on password changes
> 5. Samba password policies (Maximum password duration,
> minimum
> password duration) should match the IPA password
> policies
>
> At least that is the route we took with customers and it has
> worked
> fairly well.
>
> > I have a test user who has a 2nd password policy we
> created. That
> > users has 1 day expiration within IPA. When I change the
> following
> > value using ldapmodify, It CORRECTLY makes Samba prompt the
> user to
> > change their password when logging in the next time. When I
> change
> > this test password, IPA reset's the EXPIRATION DATE to 90
> days out and
> > not 1 day from the time password was changed.
>
>
> Probably samba is connecting to IPA with an admin user and
> password
> changes work end being don by IPA as password resets. See
> point 2 above
>
> > A third item we need fixed if possible, is the ability to
> enforce
> > password complexity, history, length, etc. through Samba
> based on what
> > IPA shows for a user's password policy. I cannot confirm if
> this WAS
> > working or not after it was initially installed. I guess
> you or Rob
> > would be the individuals who could tell me what is possible
> to enable
> > this feature.
>
>
> We've done it manually (with pdbedit -P) and after that
> everything works
> ok, password history, password length, password duration and
> complexity,
> all match between samba and IPA.
>
> Hope it helps.
>
>
> > On Fri, Oct 4, 2013 at 9:56 AM, Rob Crittenden
> <rcritten at redhat.com>
> > wrote:
> > Zach Musselman wrote:
> > Hello,
> >
> > My company is having issues with our current
> install
> > of IPA on RHEL 6.4.
> >
> > ** We had group patches that worked with IPA
> 2.2.0 and
> > allowed us to
> > enter samba groups directly in the IPA web
> interface.
> > Red Hat is unable
> > to confirm these patches are updated for IPA
> 3.0 RHEL
> > 6.4 even though
> > their Red Hat consultant created these a
> year ago.
> >
> > I'm not clear what you mean by updated for IPA 3.0.
> Are you
> > asking the patches to be rebased?
> >
> > It is also unclear if things were working properly
> with 2.2.0
> > and broke with 3.0, or if these things never worked,
> or
> > something else.
> >
> >
> > ** IPA password policy (history, length,
> complexity,
> > etc.) enforcement
> >
> > Our current versions are not allowing the
> IPA password
> > policy to work
> > with Samba. My Windows users are able to
> change their
> > password either
> > MANUALLY or WHEN FORCED to reset via the IPA
> > interface. However, non of
> > the password history, length, complexity and
> so on are
> > enforced with
> > Samba and users are able to either keep the
> same
> > password or change it
> > to anything they want without restrictions.
> >
> > Can you be more specific about where the password
> changes are
> > happening? What do mean by manually? Changing it via
> the UI
> > should apply password policy because that is really
> > independent of any Samba changes that have been
> made.
> >
> >
> > ** Samba password change also changing
> correctly the
> > IPA expiration date
> > so IPA can successfully reset the
> (sambaPwdLastSet: 0)
> > value upon 90
> > days since last password change
> >
> > If we manually run ldapmodify and change the
> value of
> > sambaPwdLastSet to
> > equal 0, this correctly forces the end user
> to change
> > their password in
> > Windows.
> >
> > The issue though is their IPA password
> expiration date
> > listed in the
> > interface isn't correctly showing the amount
> of days
> > to expire NEXT. I
> > have a test user that has a password policy
> of 1 day
> > expiration. I
> > would expect this user to show an expiration
> date of
> > the next day after
> > password change but for some reason it
> always keeps
> > showing about 90
> > days out, which is my default policy for all
> users.
> >
> > I need to be able to test that IPA is
> correctly
> > expiring the password
> > after 1 day so that I know in 90 days my
> other users
> > will receive the
> > same expiration.
> >
> > For most of this year password expiration
> was not
> > working and IPA is
> > showing a password expiration of months ago
> when their
> > password should
> > have expired (samba never prompted for this
> change).
> > Since we updated
> > to IPA 3.0, I'm hoping that when I reset
> their
> > sambaPwdLastSet to 0 that
> > IPA will start enforcing a 90 day expiration
> again.
> >
> > I don't really know much about how Windows/Samba
> does password
> > expiration, but IPA has no process to look at the
> last set
> > date, compare that to the policy, and reset
> sambaPwdLastSet.
> > Is that what you're expecting?
> >
> >
> > Any help you can provide on these issues
> would be
> > greatly appreciated!
> >
> > Also, what would you recommend for future
> IPA versions
> > and Samba? Will
> > RHEL 6.5 include a newer version of IPA that
> will work
> > and integrate
> > better with Samba? Or should we start
> looking at
> > other options that
> > integrate our password features more as they
> are
> > needed, like Samba 4?
> >
> > There are no Samba integration changes made that I
> know of.
> >
> > rob
> >
> >
> >
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> --
> Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
> Links Global Services, C.A. http://www.lgs.com.ve
> Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
> ------------------------------------------------------------
> "If I'd asked my customers what they wanted, they'd have said
> a faster horse" - Henry Ford
>
>
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131009/c52a2836/attachment.bin>
More information about the Freeipa-users
mailing list