Sending my answer to the list too.

On Tue, 28 Apr 2015, Alexander Bokovoy wrote:
On Tue, 28 Apr 2015, Christopher Lamb wrote:


Hi All

I wish to pick your brains on the attribute sambaPwdLastSet

We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an
old 3.0.0 instance.

We are also running Samba to share files to Windows and OSX users. This
means that all the FreeIPA user accounts have the attribute
sambaPwdLastSet.

If this has the value 0, our users cannot map Samba shares, so we need to
make sure the value is a positive integer.

In an attempt to do this, I modified user.py, adding the attribute to the
takes_params for the class user as follows:

class user(LDAPObject):
 . . .
 takes_params = (
        . . .
           Int('sambapwdlastset?',
          label=_('sambaPwdLastSet'),
          doc=_('Date as an integer when the samba password was last set'
),
          default=1,
          autofill=True,
      ),
      . . .

This works fine if I create a user via the CLI.

However if I create a user via the Web UI, or use the Web UI to reset a
user's password, then the attribute sambaPwdLastSet is set to zero.

So what scripts do I need to change to make sure the Web UI sets
sambaPwdLast Set to a positive value? (I don't want to run ldapmodify
scripts, or have to use Apache Directory Studio to hack the db..)

Or is there an altogether better approach to handling this field?
Yes, there is.

Given that you are running FreeIPA 4.1, you now can use SSSD as your
libwbclient provider to be able to run Samba on IPA client against IPA
database. There will be no dependency on sambaPwdLastSet anymore.

See
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA

This approach requires Fedora 21 or RHEL 7.1 / CentOS 7.1 on the IPA
client. It does not work though with non-Kerberos (NTLM) logins.

However, if you insist on using sambaPwdLastSet attribute, then user
password change rule is applying:

- if admin changes user password, sambaPwdLastSet is cleared to 0 to
 force users to change their passwords also via Samba

If user changes the password him/herself, sambaPwdLastSet is set to the
current time (i.e. not 0).

This really goes into enforcing privacy of user passwords -- if admins
change user passwords, the password is not really secret anymore and
cannot be considered secure, so it is only used once.

See also https://www.freeipa.org/page/Self-Service_Password_Reset and
https://www.freeipa.org/page/New_Passwords_Expired

--
/ Alexander Bokovoy

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to