Set the sambaPwdLastSet when changing password for a user that has the
sambaSamAccount objectclass, so that samba is kept in sync with the
status of the user account wrt whether the user need sto change the
password or not.

fixes trac#313

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From 5fdfffbaa95032efd679b52dfe7fbfa124037478 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Tue, 5 Oct 2010 18:09:12 -0400
Subject: [PATCH] When dealing with samba password set also the sambaPwdLastSet

This attribute is required for samba to properly identify a user has changed
it's password and doesn't need to change it again at next login.

At the same time, if we are forcing a pssword reset we also need to let samba
know the user must change its password.
---
 .../ipa-pwd-extop/ipapwd_common.c                  |   22 ++++++++++++++++-
 .../ipa-pwd-extop/ipapwd_prepost.c                 |   26 ++++++++++++++++++++
 2 files changed, 47 insertions(+), 1 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index a2b11e4..4c1092a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -1165,6 +1165,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     int is_smb = 0;
     Slapi_Value *sambaSamAccount;
     char *errMesg = NULL;
+    char *modtime = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
                     "=> ipapwd_SetPassword\n");
@@ -1224,7 +1225,25 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
         slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                               "sambaNTPassword", nt);
     }
-
+    if (is_smb) {
+        /* with samba integration we need to also set sambaPwdLastSet or
+         * samba will decide the user has to change the password again */
+        if (data->changetype == IPA_CHANGETYPE_ADMIN) {
+            /* if it is an admin change instead we need to let know to
+             * samba as well that the use rmust change its password */
+            modtime = slapi_ch_smprintf("0");
+        } else {
+            modtime = slapi_ch_smprintf("%ld", (long)data->timeNow);
+        }
+        if (!modtime) {
+            slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
+                            "failed to smprintf string!\n");
+            ret = LDAP_OPERATIONS_ERROR;
+            goto free_and_return;
+        }
+        slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
+                              "sambaPwdLastset", modtime);
+    }
     /* let DS encode the password itself, this allows also other plugins to
      * intercept it to perform operations like synchronization with Active
      * Directory domains through the replication plugin */
@@ -1252,6 +1271,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
 free_and_return:
     if (lm) slapi_ch_free((void **)&lm);
     if (nt) slapi_ch_free((void **)&nt);
+    if (modtime) slapi_ch_free((void **)&modtime);
     slapi_mods_free(&smods);
     ipapwd_free_slapi_value_array(&svals);
     ipapwd_free_slapi_value_array(&pwvals);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 7c95ac8..a486981 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -351,6 +351,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
             slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
             slapi_ch_free_string(&nt);
         }
+
+        if (is_smb) {
+            /* with samba integration we need to also set sambaPwdLastSet or
+             * samba will decide the user has to change the password again */
+            if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) {
+                /* if it is an admin change instead we need to let know to
+                * samba as well that the use rmust change its password */
+                slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L);
+            } else {
+                slapi_entry_attr_set_long(e, "sambaPwdLastset",
+                                      (long)pwdop->pwdata.timeNow);
+            }
+        }
     }
 
     rc = LDAP_SUCCESS;
@@ -736,6 +749,19 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
                                   "sambaNTPassword", nt);
             slapi_ch_free_string(&nt);
         }
+
+        if (is_smb) {
+            /* with samba integration we need to also set sambaPwdLastSet or
+             * samba will decide the user has to change the password again */
+            if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) {
+                /* if it is an admin change instead we need to let know to
+                * samba as well that the use rmust change its password */
+                slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L);
+            } else {
+                slapi_entry_attr_set_long(e, "sambaPwdLastset",
+                                      (long)pwdop->pwdata.timeNow);
+            }
+        }
     }
 
     rc = LDAP_SUCCESS;
-- 
1.7.2.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to