[Freeipa-users] FreeIPA and sambaPwdLastSet
Rob Crittenden
rcritten at redhat.com
Mon Jul 20 13:47:32 UTC 2015
Christopher Lamb wrote:
> Hi Alexander
>
> This issue got overtaken by others, and slipped off my radar for a bit...
>
> While the solution suggested earlier in this thread at
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
> sounds interesting (and we are running the correct versions of OEL 7.1 and
> SSSD), it seems to require the Windows clients to be members of an Active
> Diretory trusted by IPA.
>
> Unfortunately there is no AD in our architecture - our Windows and OSX
> clients are effectively islands. That would seem to leave us stuck with
> sambaPwdLastSet.
>
> After a user has had his password reset via the IPA WebUi to a temporary
> value, the user then logs on using the temporary password, and is asked to
> enter a new password. At his point sambaPwdLastSet should be set to a
> positive value. However our testing indicates that it is not. We have tried
> 3 techniques:
>
> 1) User connects to LDAP server via remote ssh.
>
> 2) kinit <user>
>
> 3) su - <user> over an existing ssh session with another user (e.g. mine)
>
> In all three cases the user is able to set their password, but
> sambaPwdLastSet remains set to 0.
>
> As a workaround we use Apache Directory Studio to manually set
> sambaPwdLastSet once the user has changed his password.
>
> Chris
AFAICT the user needs the sambaSamAccount objectclass in order for this
to work. Is that the case?
rob
More information about the Freeipa-users
mailing list