[Freeipa-users] FreeIPA and sambaPwdLastSet
Christopher Lamb
christopher.lamb at ch.ibm.com
Mon Jul 20 14:38:51 UTC 2015
ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com"
"(&(objectClass=sambaSamAccount)(uid=bilbo))"
and
ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com"
"(&(objectClass=sambaSAMAccount)(uid=bilbo))"
and
ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com"
"(&(objectClass=sambasamaccount)(uid=bilbo))"
all give me a result, indicating case is not important.
From: Rich Megginson <rmeggins at redhat.com>
To: freeipa-users at redhat.com
Date: 20.07.2015 16:24
Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Sent by: freeipa-users-bounces at redhat.com
On 07/20/2015 07:56 AM, Christopher Lamb wrote:
> Hi Rob
>
> The users do have the sambaSamAccount ObjectClass.
>
> Or to be more precise, some have sambasamaccount (all lower case), and
some
> have sambaSAMAccount (mixed case)
>
> Are objectclasses case sensitive?
No, unless there is a bug in the objectclass matching/comparison code.
>
> Chris
>
>
>
> From: Rob Crittenden <rcritten at redhat.com>
> To: Christopher Lamb/Switzerland/IBM at IBMCH, Alexander Bokovoy
> <abokovoy at redhat.com>
> Cc: freeipa-users at redhat.com
> Date: 20.07.2015 15:47
> Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
>
>
>
> Christopher Lamb wrote:
>> Hi Alexander
>>
>> This issue got overtaken by others, and slipped off my radar for a
bit...
>>
>> While the solution suggested earlier in this thread at
>>
>
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
>> sounds interesting (and we are running the correct versions of OEL 7.1
> and
>> SSSD), it seems to require the Windows clients to be members of an
Active
>> Diretory trusted by IPA.
>>
>> Unfortunately there is no AD in our architecture - our Windows and OSX
>> clients are effectively islands. That would seem to leave us stuck with
>> sambaPwdLastSet.
>>
>> After a user has had his password reset via the IPA WebUi to a temporary
>> value, the user then logs on using the temporary password, and is asked
> to
>> enter a new password. At his point sambaPwdLastSet should be set to a
>> positive value. However our testing indicates that it is not. We have
> tried
>> 3 techniques:
>>
>> 1) User connects to LDAP server via remote ssh.
>>
>> 2) kinit <user>
>>
>> 3) su - <user> over an existing ssh session with another user (e.g.
mine)
>>
>> In all three cases the user is able to set their password, but
>> sambaPwdLastSet remains set to 0.
>>
>> As a workaround we use Apache Directory Studio to manually set
>> sambaPwdLastSet once the user has changed his password.
>>
>> Chris
> AFAICT the user needs the sambaSamAccount objectclass in order for this
> to work. Is that the case?
>
> rob
>
>
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list