On Fri, 2012-10-12 at 13:20 +0200, Marc Grimme wrote: > Am 11.10.2012 18:12, schrieb Simo Sorce: > > On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: > >> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: > >>> > >> No they are integrated in the Kerberos Domain of IPA but not joined to > >> the samba domain. > >>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? > > Yes, you should use "ldap passwd sync = only" > Ok, I set it as suggested. > > > >> Further testing. > >> I have a user called tuser. > >> 1. Reset the password: > >> ipaserver1 # ipa passwd tuser > >> New Password: > >> Enter New Password again to verify: > >> ------------------------------------ > >> Changed password for "tu...@cl.atix" > >> ------------------------------------ > >> 2. Login to another server via ssh: > >> $ ssh tuser@methusalix2 > >> tuser@methusalix2's password: > >> Password expired. Change your password now. > >> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 > >> WARNING: Your password has expired. > >> You must change your password now and login again! > >> Changing password for user tuser. > >> Current Password: > >> New password: > >> Retype new password: > >> passwd: all authentication tokens updated successfully. > >> Connection to methusalix2 closed. > >> $ ssh tuser@methusalix2 > >> tuser@methusalix2's password: > >> Permission denied, please try again. > >> tuser@methusalix2's password: > >> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 > >> -bash-4.1$ > >> => SSH Login works (Kerberos PW is set). > >> 3. Let's browse Samba: > >> $ smbclient -U tuser -L methusalix2 > >> Enter tuser's password: > >> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE > >> > >> Any ideas what's going wrong? > > Uhmm seem one of the samba attributes has not been properly changed ... > Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set > (=0). > I adapted it on a few users and the problem with the > NT_STATUS_PASSWORD_MUST_CHANGE went away. > Still the problem is what happens when they change their password again. > It looks like ldap passwd sync=yes should normally keep track of that. > Any ideas how I can get that running?
As far as I can see our code does set sambaPwdLastset as well (exactly to avoid samba complain about must set). Can you do a test password change an dverify if we always fail to set it ? And what are the values before/after the attempt (in either case) ? > You also mentioned that one can use ldappasswd to get Samba to change > the passwords per user. > How should this be done? > passwd program = /usr/bin/ldappasswd ?? Samba use the ldappasswd control when you set ldap passwd sync = only Nothing else is required > > > > This is IPA on RHEL6.3 ? > Yes RHEL6.3 plain. > > > > Can you check if the use has the attribute sambaPwdMustChange set ? > No not anywhere. See above (sambaPwdLastSet). Ok perfect, this means it is not used (as I thought) and was deprecated. (Dmitri this means we do not need to track) > > Apparently the IPA passoword plugin does not touch it. > No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it? It should and we have code in the 2.2 and 3.0 branches to do it. I wonder if we have a bug in the RHEL6.3 version, if you can do the test above we can try to narrow down what's happening. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users