<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 10/04/2013 10:34 AM, Zach Musselman wrote:
<blockquote
cite="mid:CAKouC9eRAvcGgRYxdZ2rm8zwBFpa16mBUhfL7XY6ALDzEXsRdw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
</div>
My company is having issues with our current install of IPA on
RHEL 6.4.<br>
<br>
** We had group patches that worked with IPA 2.2.0 and allowed
us to enter samba groups directly in the IPA web interface.
Red Hat is unable to confirm these patches are updated for IPA
3.0 RHEL 6.4 even though their Red Hat consultant created
these a year ago.<br>
<br>
<br>
** IPA password policy (history, length, complexity, etc.)
enforcement<br>
<br>
</div>
Our current versions are not allowing the IPA password policy to
work with Samba. My Windows users are able to change their
password either MANUALLY or WHEN FORCED to reset via the IPA
interface. However, non of the password history, length,
complexity and so on are enforced with Samba and users are able
to either keep the same password or change it to anything they
want without restrictions.<br>
<br>
<div><br>
** Samba password change also changing correctly the IPA
expiration date so IPA can successfully reset the
(sambaPwdLastSet: 0) value upon 90 days since last password
change<br>
<br>
</div>
<div>If we manually run ldapmodify and change the value of
sambaPwdLastSet to equal 0, this correctly forces the end user
to change their password in Windows.<br>
<br>
The issue though is their IPA password expiration date listed
in the interface isn't correctly showing the amount of days to
expire NEXT. I have a test user that has a password policy of
1 day expiration. I would expect this user to show an
expiration date of the next day after password change but for
some reason it always keeps showing about 90 days out, which
is my default policy for all users.<br>
<br>
I need to be able to test that IPA is correctly expiring the
password after 1 day so that I know in 90 days my other users
will receive the same expiration.<br>
<br>
</div>
<div>For most of this year password expiration was not working
and IPA is showing a password expiration of months ago when
their password should have expired (samba never prompted for
this change). Since we updated to IPA 3.0, I'm hoping that
when I reset their sambaPwdLastSet to 0 that IPA will start
enforcing a 90 day expiration again.<br>
<br>
<br>
</div>
<div>Any help you can provide on these issues would be greatly
appreciated!<br>
<br>
</div>
<div>Also, what would you recommend for future IPA versions and
Samba? Will RHEL 6.5 include a newer version of IPA that will
work and integrate better with Samba? Or should we start
looking at other options that integrate our password features
more as they are needed, like Samba 4?<br>
<br>
</div>
<div>Thanks again!<br>
</div>
<div><br clear="all">
</div>
</div>
</blockquote>
<br>
Hello,<br>
<br>
We would be glad to help you but it is unclear what kind of setup
you have. It is definitely something custom made that was created
based on your requirements and not exactly usual use case we see in
the community.<br>
So let us understand what we are talking about .<br>
Haw are you using Samba? As a file server, as a NT style DC or you
are talking about Winbind?<br>
If you are using FreeIPA DS as a back end DS store for Samba then
this something we did not try nor can guarantee would work between
the IPA upgrades. <br>
<br>
Based on your comment above it looks like that you are trying to use
Windows clients with Samba NT style DC that uses IPA as its back end
store.<br>
If it is the case it is not something that we support upstream or
recommend. And the main reason is that we anticipate it to be very
fragile and hard to maintain (and your experience above proves that).<br>
<br>
So in the current situation the best would be to understand the
requirements and see what is the best solution we can recommend
based on the tools we have.<br>
<br>
Sorry that you went through such experience, it must be really
frustrating. We will try to help the best we can.<br>
<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote
cite="mid:CAKouC9eRAvcGgRYxdZ2rm8zwBFpa16mBUhfL7XY6ALDzEXsRdw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div><br>
-- <br>
Zach
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>