[Freeipa-users] FreeIPA and sambaPwdLastSet

Rich Megginson rmeggins at redhat.com
Mon Jul 20 14:22:57 UTC 2015 

On 07/20/2015 07:56 AM, Christopher Lamb wrote:
> Hi Rob
>
> The users do have the sambaSamAccount ObjectClass.
>
> Or to be more precise, some have sambasamaccount (all lower case), and some
> have sambaSAMAccount (mixed case)
>
> Are objectclasses case sensitive?

No, unless there is a bug in the objectclass matching/comparison code.

>
> Chris
>
>
>
> From:	Rob Crittenden <rcritten at redhat.com>
> To:	Christopher Lamb/Switzerland/IBM at IBMCH, Alexander Bokovoy
>              <abokovoy at redhat.com>
> Cc:	freeipa-users at redhat.com
> Date:	20.07.2015 15:47
> Subject:	Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
>
>
>
> Christopher Lamb wrote:
>> Hi Alexander
>>
>> This issue got overtaken by others, and slipped off my radar for a bit...
>>
>> While the solution suggested earlier in this thread at
>>
> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>> sounds interesting (and we are running the correct versions of OEL 7.1
> and
>> SSSD), it seems to require the Windows clients to be members of an Active
>> Diretory trusted by IPA.
>>
>> Unfortunately there is no AD in our architecture - our Windows and OSX
>> clients are effectively islands. That would seem to leave us stuck with
>> sambaPwdLastSet.
>>
>> After a user has had his password reset via the IPA WebUi to a temporary
>> value, the user then logs on using the temporary password, and is asked
> to
>> enter a new password. At his point sambaPwdLastSet should be set to a
>> positive value. However our testing indicates that it is not. We have
> tried
>> 3 techniques:
>>
>> 1) User connects to LDAP server via remote ssh.
>>
>> 2) kinit <user>
>>
>> 3) su - <user> over an existing ssh session with another user (e.g. mine)
>>
>> In all three cases the user is able to set their password, but
>> sambaPwdLastSet remains set to 0.
>>
>> As a workaround we use Apache Directory Studio to manually set
>> sambaPwdLastSet once the user has changed his password.
>>
>> Chris
> AFAICT the user needs the sambaSamAccount objectclass in order for this
> to work. Is that the case?
>
> rob
>
>
>
>

More information about the Freeipa-users mailing list