On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote:
> On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote:
>> Hello together,
>> we are running IPA on RHEL6.3 for quite some time.
>> We are also using IPA to provide the LDAP backend for our samba
>> configuration.
>> Normally everything is running quite ok.
>> But from time to time some people inform me that their samba password is
>> not in sync with their password in IPA.
>> Mostly this is working but a few different people are informing me about
>> that.
>> So is there a way to "resync" the password to the ones in LDAP
>> (userPassword, sambaNTPassword)?
> We do not have code to do that now (although we have some code in 3.0
> that is capable of doing that so it is technically possible), but this
> shouldn't happen in the first place.
> Do you have any information about how the password was changed by these
> users ?
They are changing their passwords via ssh, sssd (kpasswd underneath) or 
directly over kpasswd.

BTW: What would be the recommended way to re change their password 
afterwards again?
> Are you allowing samba to change the password ?
Probably (ldap passwd sync=Yes). Up to now I recommended to use 
ssh/sssd combination for passwd change to those users.
> If so are you using the option 'ldap sync only = Only' ? If you do not
> use this setting that is most likely the problem.
> If you do then it may be a bug in samba.
I'm using samba 3.5 (part of RHEL6) and there seems to be no option 
ldap sync.
The only relevant option I've set is ldap passwd sync = Yes.
> Have you given samba access for writing to the sambaNTPassword
> attribute ?
> (you shouldn't samba should be allowed only to read).
Not that I know of.
How can I do this?
> Simo.


Marc Grimme

E-Mail: grimme( at )atix.de

ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 |
85716 Unterschleissheim | www.atix.de | www.comoonics.org

Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, 
DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz 
(Vors.) |
Vorsitzender des Aufsichtsrats: Dr. Martin Buss

Freeipa-users mailing list

Reply via email to