[Freeipa-users] FreeIPA and sambaPwdLastSet
Alexander Bokovoy
abokovoy at redhat.com
Tue Apr 28 18:02:38 UTC 2015
On Tue, 28 Apr 2015, Dmitri Pal wrote:
>On 04/28/2015 12:17 PM, Christopher Lamb wrote:
>>Hi All
>>
>>I wish to pick your brains on the attribute sambaPwdLastSet
>>
>>We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an
>>old 3.0.0 instance.
>>
>>We are also running Samba to share files to Windows and OSX users. This
>>means that all the FreeIPA user accounts have the attribute
>>sambaPwdLastSet.
>>
>>If this has the value 0, our users cannot map Samba shares, so we need to
>>make sure the value is a positive integer.
>>
>>In an attempt to do this, I modified user.py, adding the attribute to the
>>takes_params for the class user as follows:
>>
>>class user(LDAPObject):
>> . . .
>> takes_params = (
>> . . .
>> Int('sambapwdlastset?',
>> label=_('sambaPwdLastSet'),
>> doc=_('Date as an integer when the samba password was last set'
>>),
>> default=1,
>> autofill=True,
>> ),
>> . . .
>>
>>This works fine if I create a user via the CLI.
>>
>>However if I create a user via the Web UI, or use the Web UI to reset a
>>user's password, then the attribute sambaPwdLastSet is set to zero.
>>
>>So what scripts do I need to change to make sure the Web UI sets
>>sambaPwdLast Set to a positive value? (I don't want to run ldapmodify
>>scripts, or have to use Apache Directory Studio to hack the db..)
>>
>>Or is there an altogether better approach to handling this field?
>>
>>Thanks
>>
>>Chris
>>
>>
>>
>>
>>
>May be you should consider managed entry plugin and make this
>attribute be updated at the same time the standard password expiration
>attribute is updated?
Dmitri, it is already updated -- we set it to 0 when admin changes
user's password.
I've wrote an answer to Chris but forgot to CC: the list. I'll re-send
my answer.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list