On 10/12/2012 07:20 AM, Marc Grimme wrote:
> Am 11.10.2012 18:12, schrieb Simo Sorce:
>> On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote:
>>> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote:
>>> No they are integrated in the Kerberos Domain of IPA but not joined to 
>>> the samba domain.
>>>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? 
>> Yes, you should use "ldap passwd sync = only"
> Ok, I set it as suggested.
>>> Further testing.
>>> I have a user called tuser.
>>> 1. Reset the password:
>>> ipaserver1 # ipa passwd tuser
>>> New Password:
>>> Enter New Password again to verify:
>>> ------------------------------------
>>> Changed password for "tu...@cl.atix"
>>> ------------------------------------
>>> 2. Login to another server via ssh:
>>> $ ssh tuser@methusalix2
>>> tuser@methusalix2's password:
>>> Password expired. Change your password now.
>>> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138
>>> WARNING: Your password has expired.
>>> You must change your password now and login again!
>>> Changing password for user tuser.
>>> Current Password:
>>> New password:
>>> Retype new password:
>>> passwd: all authentication tokens updated successfully.
>>> Connection to methusalix2 closed.
>>> $ ssh tuser@methusalix2
>>> tuser@methusalix2's password:
>>> Permission denied, please try again.
>>> tuser@methusalix2's password:
>>> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138
>>> -bash-4.1$
>>> => SSH Login works (Kerberos PW is set).
>>> 3. Let's browse Samba:
>>> $ smbclient -U tuser -L methusalix2
>>> Enter tuser's password:
>>> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
>>>
>>> Any ideas what's going wrong?
>> Uhmm seem one of the samba attributes has not been properly changed ...
> Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set
> (=0).
> I adapted it on a few users and the problem with the
> NT_STATUS_PASSWORD_MUST_CHANGE went away.
> Still the problem is what happens when they change their password again.
> It looks like ldap passwd sync=yes should normally keep track of that.
> Any ideas how I can get that running?
>
> You also mentioned that one can use ldappasswd to get Samba to change
> the passwords per user.
> How should this be done?
> passwd program = /usr/bin/ldappasswd ??
>
>> This is IPA on RHEL6.3 ?
> Yes RHEL6.3 plain.
>> Can you check if the use has the attribute sambaPwdMustChange set ?

Should we open a ticket to manage this attribute?

> No not anywhere. See above (sambaPwdLastSet).
>> Apparently the IPA passoword plugin does not touch it.
> No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it?
>> Simo.
>>
> Marc.
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to