Am 11.10.2012 18:12, schrieb Simo Sorce: > On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: >> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: >>> >> No they are integrated in the Kerberos Domain of IPA but not joined to >> the samba domain. >>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? > Yes, you should use "ldap passwd sync = only" Ok, I set it as suggested. > >> Further testing. >> I have a user called tuser. >> 1. Reset the password: >> ipaserver1 # ipa passwd tuser >> New Password: >> Enter New Password again to verify: >> ------------------------------------ >> Changed password for "tu...@cl.atix" >> ------------------------------------ >> 2. Login to another server via ssh: >> $ ssh tuser@methusalix2 >> tuser@methusalix2's password: >> Password expired. Change your password now. >> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 >> WARNING: Your password has expired. >> You must change your password now and login again! >> Changing password for user tuser. >> Current Password: >> New password: >> Retype new password: >> passwd: all authentication tokens updated successfully. >> Connection to methusalix2 closed. >> $ ssh tuser@methusalix2 >> tuser@methusalix2's password: >> Permission denied, please try again. >> tuser@methusalix2's password: >> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 >> -bash-4.1$ >> => SSH Login works (Kerberos PW is set). >> 3. Let's browse Samba: >> $ smbclient -U tuser -L methusalix2 >> Enter tuser's password: >> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE >> >> Any ideas what's going wrong? > Uhmm seem one of the samba attributes has not been properly changed ... Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set (=0). I adapted it on a few users and the problem with the NT_STATUS_PASSWORD_MUST_CHANGE went away. Still the problem is what happens when they change their password again. It looks like ldap passwd sync=yes should normally keep track of that. Any ideas how I can get that running?
You also mentioned that one can use ldappasswd to get Samba to change the passwords per user. How should this be done? passwd program = /usr/bin/ldappasswd ?? > > This is IPA on RHEL6.3 ? Yes RHEL6.3 plain. > > Can you check if the use has the attribute sambaPwdMustChange set ? No not anywhere. See above (sambaPwdLastSet). > Apparently the IPA passoword plugin does not touch it. No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it? > > Simo. > Marc. -- Marc Grimme E-Mail: grimme( at )atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users