On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: > On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote: >> Hello together, >> we are running IPA on RHEL6.3 for quite some time. >> We are also using IPA to provide the LDAP backend for our samba >> configuration. >> Normally everything is running quite ok. >> >> But from time to time some people inform me that their samba password is >> not in sync with their password in IPA. >> Mostly this is working but a few different people are informing me about >> that. >> So is there a way to "resync" the password to the ones in LDAP >> (userPassword, sambaNTPassword)? > > We do not have code to do that now (although we have some code in 3.0 > that is capable of doing that so it is technically possible), but this > shouldn't happen in the first place. > > Do you have any information about how the password was changed by these > users ? They are changing their passwords via ssh, sssd (kpasswd underneath) or directly over kpasswd.
BTW: What would be the recommended way to re change their password afterwards again? > > Are you allowing samba to change the password ? Probably (ldap passwd sync=Yes). Up to now I recommended to use ssh/sssd combination for passwd change to those users. > > If so are you using the option 'ldap sync only = Only' ? If you do not > use this setting that is most likely the problem. > If you do then it may be a bug in samba. I'm using samba 3.5 (part of RHEL6) and there seems to be no option ldap sync. The only relevant option I've set is ldap passwd sync = Yes. > > Have you given samba access for writing to the sambaNTPassword > attribute ? > (you shouldn't samba should be allowed only to read). Not that I know of. How can I do this? > > Simo. > -- -- Marc Grimme E-Mail: grimme( at )atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users