On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: > On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: > > On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote: > >> Hello together, > >> we are running IPA on RHEL6.3 for quite some time. > >> We are also using IPA to provide the LDAP backend for our samba > >> configuration. > >> Normally everything is running quite ok. > >> > >> But from time to time some people inform me that their samba password is > >> not in sync with their password in IPA. > >> Mostly this is working but a few different people are informing me about > >> that. > >> So is there a way to "resync" the password to the ones in LDAP > >> (userPassword, sambaNTPassword)? > > > > We do not have code to do that now (although we have some code in 3.0 > > that is capable of doing that so it is technically possible), but this > > shouldn't happen in the first place. > > > > Do you have any information about how the password was changed by these > > users ? > They are changing their passwords via ssh, sssd (kpasswd underneath) or > directly over kpasswd. > > BTW: What would be the recommended way to re change their password > afterwards again?
Those methods are fine. Are you sure the affected users didn't change their password via their Windows clients ? Are their clients joined to the samba domain ? > > Are you allowing samba to change the password ? > Probably (ldap passwd sync=Yes). Up to now I recommended to use > ssh/sssd combination for passwd change to those users. > > > > If so are you using the option 'ldap sync only = Only' ? If you do not > > use this setting that is most likely the problem. > > If you do then it may be a bug in samba. > I'm using samba 3.5 (part of RHEL6) and there seems to be no option > ldap sync. > The only relevant option I've set is ldap passwd sync = Yes. I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' and the 'only' option. It has been in samba for a long time (I think since 3.0.x) > > Have you given samba access for writing to the sambaNTPassword > > attribute ? > > (you shouldn't samba should be allowed only to read). > Not that I know of. > How can I do this? You can do it with a custom user and custom ACIs. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users