On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: > On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: > > On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: > >> On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: > >> They are changing their passwords via ssh, sssd (kpasswd underneath) or > >> directly over kpasswd. > >> > >> BTW: What would be the recommended way to re change their password > >> afterwards again? > > > > Those methods are fine. > > Are you sure the affected users didn't change their password via their > > Windows clients ? Are their clients joined to the samba domain ? > No they are integrated in the Kerberos Domain of IPA but not joined to > the samba domain. > > > >> Probably (ldap passwd sync=Yes). Up to now I recommended to use > >> ssh/sssd combination for passwd change to those users. > >>> > >> I'm using samba 3.5 (part of RHEL6) and there seems to be no option > >> ldap sync. > >> The only relevant option I've set is ldap passwd sync = Yes. > > > > I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' > > and the 'only' option. It has been in samba for a long time (I think > > since 3.0.x) > Ok. Sorry I'm using > ldap passwd sync=Yes > Is that wrong?
Yes, you should use "ldap passwd sync = only" > >> Not that I know of. > >> How can I do this? > > > > You can do it with a custom user and custom ACIs. > > > Further testing. > I have a user called tuser. > 1. Reset the password: > ipaserver1 # ipa passwd tuser > New Password: > Enter New Password again to verify: > ------------------------------------ > Changed password for "tu...@cl.atix" > ------------------------------------ > 2. Login to another server via ssh: > $ ssh tuser@methusalix2 > tuser@methusalix2's password: > Password expired. Change your password now. > Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user tuser. > Current Password: > New password: > Retype new password: > passwd: all authentication tokens updated successfully. > Connection to methusalix2 closed. > $ ssh tuser@methusalix2 > tuser@methusalix2's password: > Permission denied, please try again. > tuser@methusalix2's password: > Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 > -bash-4.1$ > => SSH Login works (Kerberos PW is set). > 3. Let's browse Samba: > $ smbclient -U tuser -L methusalix2 > Enter tuser's password: > session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE > > Any ideas what's going wrong? Uhmm seem one of the samba attributes has not been properly changed ... This is IPA on RHEL6.3 ? Can you check if the use has the attribute sambaPwdMustChange set ? Apparently the IPA passoword plugin does not touch it. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users