On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote:
> On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote:
> > On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote:
> >> Hello together,
> >> we are running IPA on RHEL6.3 for quite some time.
> >> We are also using IPA to provide the LDAP backend for our samba
> >> configuration.
> >> Normally everything is running quite ok.
> >> But from time to time some people inform me that their samba password is
> >> not in sync with their password in IPA.
> >> Mostly this is working but a few different people are informing me about
> >> that.
> >> So is there a way to "resync" the password to the ones in LDAP
> >> (userPassword, sambaNTPassword)?
> > We do not have code to do that now (although we have some code in 3.0
> > that is capable of doing that so it is technically possible), but this
> > shouldn't happen in the first place.
> > Do you have any information about how the password was changed by these
> > users ?
> They are changing their passwords via ssh, sssd (kpasswd underneath) or
> directly over kpasswd.
> BTW: What would be the recommended way to re change their password
> afterwards again?
Those methods are fine.
Are you sure the affected users didn't change their password via their
Windows clients ? Are their clients joined to the samba domain ?
> > Are you allowing samba to change the password ?
> Probably (ldap passwd sync=Yes). Up to now I recommended to use
> ssh/sssd combination for passwd change to those users.
> > If so are you using the option 'ldap sync only = Only' ? If you do not
> > use this setting that is most likely the problem.
> > If you do then it may be a bug in samba.
> I'm using samba 3.5 (part of RHEL6) and there seems to be no option
> ldap sync.
> The only relevant option I've set is ldap passwd sync = Yes.
I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync''
and the 'only' option. It has been in samba for a long time (I think
> > Have you given samba access for writing to the sambaNTPassword
> > attribute ?
> > (you shouldn't samba should be allowed only to read).
> Not that I know of.
> How can I do this?
You can do it with a custom user and custom ACIs.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list