[Freeipa-users] FreeIPA and sambaPwdLastSet
Christopher Lamb
christopher.lamb at ch.ibm.com
Sun Aug 9 09:50:19 UTC 2015
Hi
having done some more experimentation with creating users, changing
passwords, and the attribute sambaPwdLast set, it is time to reactivate
this old thread.
I have a newly setup FreeIPA 4.1 Server configured with the "good old"
Samba schema extensions for FreeIPA.
I have established the following:
1) user created via CLI with no initial password given:
# ipa user-add usr1--first=Aunt --last=Agatha
# ipa group-add-member smbgrp --users=usr1
--> The user has neither the smbPwdLastSet nor sambaNTPassword attributes
--> NOT OK
2) Now set an initial pwd for the same user
# ipa user-mod usr1 --password
--> The user has sambaNTPassword, but NOT smbPwdLastSet
3) user created via CLI with initial password given:
# ipa user-add usr2--first=Bertie --last=Wooster
# ipa group-add-member smbgrp --users=usr2
--> The user has both the smbPwdLastSet nor sambaNTPassword attributes.
smbPwdLastSet = 0 --> OK
4) Now let usr2 set his real password:
# su usr2
# kinit usr2
--> The user has both the smbPwdLastSet nor sambaNTPassword attributes.
smbPwdLastSet remains = 0 --> NOT OK, smbPwdLastSet should now be a
positive number!
At this stage usr2 cannot access Samba shares. Of course, I can use an LDAP
browser or CLI commands to set smbPwdLastSet=1, but that is easily
forgotten.
The next test (result still open) is to set what happens with smbPwdLastSet
on password expiry. To do this I have created a fast expiring password
group policy, added usr2 to that group, and then let usr2 change his
password to ensure the new policy is active.
# ipa group-add fastexpire --desc="group with a fast expiring pwd policy"
# ipa group-add-member fastexpire --users=usr2
# ipa pwpolicy-add fastexpire --minlife=0 --maxlife=1 --history=1
--priority=1
# su usr2
# ipa user-mod usr2 --password
Results of this test tomorrow ....
Chris
From: Alexander Bokovoy <abokovoy at redhat.com>
To: Rob Crittenden <rcritten at redhat.com>
Cc: Christopher Lamb/Switzerland/IBM at IBMCH,
freeipa-users at redhat.com
Date: 20.07.2015 15:52
Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
On Mon, 20 Jul 2015, Rob Crittenden wrote:
>Christopher Lamb wrote:
>>Hi Alexander
>>
>>This issue got overtaken by others, and slipped off my radar for a bit...
>>
>>While the solution suggested earlier in this thread at
>>
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>>sounds interesting (and we are running the correct versions of OEL 7.1
and
>>SSSD), it seems to require the Windows clients to be members of an Active
>>Diretory trusted by IPA.
>>
>>Unfortunately there is no AD in our architecture - our Windows and OSX
>>clients are effectively islands. That would seem to leave us stuck with
>>sambaPwdLastSet.
>>
>>After a user has had his password reset via the IPA WebUi to a temporary
>>value, the user then logs on using the temporary password, and is asked
to
>>enter a new password. At his point sambaPwdLastSet should be set to a
>>positive value. However our testing indicates that it is not. We have
tried
>>3 techniques:
>>
>>1) User connects to LDAP server via remote ssh.
>>
>>2) kinit <user>
>>
>>3) su - <user> over an existing ssh session with another user (e.g. mine)
>>
>>In all three cases the user is able to set their password, but
>>sambaPwdLastSet remains set to 0.
>>
>>As a workaround we use Apache Directory Studio to manually set
>>sambaPwdLastSet once the user has changed his password.
>>
>>Chris
>
>AFAICT the user needs the sambaSamAccount objectclass in order for
>this to work. Is that the case?
Yes, exactly.
This object class is not used by IPA integration with Samba, so we don't
give it to users by default. The code in IPA password plugin checks if
there is an object class named SambaSamAccount on the user entry and
then manipulates sambaPwdLastSet as required.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list