[Freeipa-users] FreeIPA and sambaPwdLastSet

Alexander Bokovoy abokovoy at redhat.com
Tue Apr 28 18:11:00 UTC 2015 

Resending it to the right list. :) Not my evening.

On Tue, 28 Apr 2015, Alexander Bokovoy wrote:
>On Tue, 28 Apr 2015, Christopher Lamb wrote:
>>
>>Hi All
>>
>>I wish to pick your brains on the attribute sambaPwdLastSet
>>
>>We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an
>>old 3.0.0 instance.
>>
>>We are also running Samba to share files to Windows and OSX users. This
>>means that all the FreeIPA user accounts have the attribute
>>sambaPwdLastSet.
>>
>>If this has the value 0, our users cannot map Samba shares, so we need to
>>make sure the value is a positive integer.
>>
>>In an attempt to do this, I modified user.py, adding the attribute to the
>>takes_params for the class user as follows:
>>
>>class user(LDAPObject):
>>  . . .
>>  takes_params = (
>>	. . .
>>	   Int('sambapwdlastset?',
>>           label=_('sambaPwdLastSet'),
>>           doc=_('Date as an integer when the samba password was last set'
>>),
>>           default=1,
>>           autofill=True,
>>       ),
>>       . . .
>>
>>This works fine if I create a user via the CLI.
>>
>>However if I create a user via the Web UI, or use the Web UI to reset a
>>user's password, then the attribute sambaPwdLastSet is set to zero.
>>
>>So what scripts do I need to change to make sure the Web UI sets
>>sambaPwdLast Set to a positive value? (I don't want to run ldapmodify
>>scripts, or have to use Apache Directory Studio to hack the db..)
>>
>>Or is there an altogether better approach to handling this field?
>Yes, there is.
>
>Given that you are running FreeIPA 4.1, you now can use SSSD as your
>libwbclient provider to be able to run Samba on IPA client against IPA
>database. There will be no dependency on sambaPwdLastSet anymore.
>
>See
>http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>
>This approach requires Fedora 21 or RHEL 7.1 / CentOS 7.1 on the IPA
>client. It does not work though with non-Kerberos (NTLM) logins.
>
>However, if you insist on using sambaPwdLastSet attribute, then user
>password change rule is applying:
>
>- if admin changes user password, sambaPwdLastSet is cleared to 0 to
>  force users to change their passwords also via Samba
>
>If user changes the password him/herself, sambaPwdLastSet is set to the
>current time (i.e. not 0).
>
>This really goes into enforcing privacy of user passwords -- if admins
>change user passwords, the password is not really secret anymore and
>cannot be considered secure, so it is only used once.
>
>See also https://www.freeipa.org/page/Self-Service_Password_Reset and
>https://www.freeipa.org/page/New_Passwords_Expired
>
>-- 
>/ Alexander Bokovoy

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list