On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote:
> On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote:
>> On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote:
>> They are changing their passwords via ssh, sssd (kpasswd underneath) or
>> directly over kpasswd.
>> BTW: What would be the recommended way to re change their password
>> afterwards again?
> Those methods are fine.
> Are you sure the affected users didn't change their password via their
> Windows clients ? Are their clients joined to the samba domain ?
No they are integrated in the Kerberos Domain of IPA but not joined to 
the samba domain.
>> Probably (ldap passwd sync=Yes). Up to now I recommended to use
>> ssh/sssd combination for passwd change to those users.
>> I'm using samba 3.5 (part of RHEL6) and there seems to be no option
>> ldap sync.
>> The only relevant option I've set is ldap passwd sync = Yes.
> I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync''
> and the 'only' option. It has been in samba for a long time (I think
> since 3.0.x)
Ok. Sorry I'm using
ldap passwd sync=Yes
Is that wrong?
>> Not that I know of.
>> How can I do this?
> You can do it with a custom user and custom ACIs.
Further testing.
I have a user called tuser.
1. Reset the password:
ipaserver1 # ipa passwd tuser
New Password:
Enter New Password again to verify:
Changed password for "tu...@cl.atix"
2. Login to another server via ssh:
$ ssh tuser@methusalix2
tuser@methusalix2's password:
Password expired. Change your password now.
Last login: Thu Oct 11 17:41:47 2012 from
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuser.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to methusalix2 closed.
$ ssh tuser@methusalix2
tuser@methusalix2's password:
Permission denied, please try again.
tuser@methusalix2's password:
Last login: Thu Oct 11 17:42:17 2012 from
=> SSH Login works (Kerberos PW is set).
3. Let's browse Samba:
$ smbclient -U tuser -L methusalix2
Enter tuser's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

Any ideas what's going wrong?

Thanks Marc.


Marc Grimme

E-Mail: grimme( at )atix.de

ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 |
85716 Unterschleissheim | www.atix.de | www.comoonics.org

Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, 
DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz 
(Vors.) |
Vorsitzender des Aufsichtsrats: Dr. Martin Buss

Freeipa-users mailing list

Reply via email to