On Fri, 2012-10-12 at 13:20 +0200, Marc Grimme wrote:
> Am 11.10.2012 18:12, schrieb Simo Sorce:
> > On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote:
> >> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote:
> >>>
> >> No they are integrated in the Kerberos Domain of IPA but not joined to 
> >> the samba domain.
> >>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? 
> > Yes, you should use "ldap passwd sync = only"
> Ok, I set it as suggested.
> >
> >> Further testing.
> >> I have a user called tuser.
> >> 1. Reset the password:
> >> ipaserver1 # ipa passwd tuser
> >> New Password:
> >> Enter New Password again to verify:
> >> ------------------------------------
> >> Changed password for "tu...@cl.atix"
> >> ------------------------------------
> >> 2. Login to another server via ssh:
> >> $ ssh tuser@methusalix2
> >> tuser@methusalix2's password:
> >> Password expired. Change your password now.
> >> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138
> >> WARNING: Your password has expired.
> >> You must change your password now and login again!
> >> Changing password for user tuser.
> >> Current Password:
> >> New password:
> >> Retype new password:
> >> passwd: all authentication tokens updated successfully.
> >> Connection to methusalix2 closed.
> >> $ ssh tuser@methusalix2
> >> tuser@methusalix2's password:
> >> Permission denied, please try again.
> >> tuser@methusalix2's password:
> >> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138
> >> -bash-4.1$
> >> => SSH Login works (Kerberos PW is set).
> >> 3. Let's browse Samba:
> >> $ smbclient -U tuser -L methusalix2
> >> Enter tuser's password:
> >> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
> >>
> >> Any ideas what's going wrong?
> > Uhmm seem one of the samba attributes has not been properly changed ...
> Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set
> (=0).
> I adapted it on a few users and the problem with the
> NT_STATUS_PASSWORD_MUST_CHANGE went away.
> Still the problem is what happens when they change their password again.
> It looks like ldap passwd sync=yes should normally keep track of that.
> Any ideas how I can get that running?

As far as I can see our code does set sambaPwdLastset as well (exactly
to avoid samba complain about must set).

Can you do a test password change an dverify if we always fail to set
it ? And what are the values before/after the attempt (in either case) ?

> You also mentioned that one can use ldappasswd to get Samba to change
> the passwords per user.
> How should this be done?
> passwd program = /usr/bin/ldappasswd ??

Samba use the ldappasswd control when you set ldap passwd sync = only
Nothing else is required

> >
> > This is IPA on RHEL6.3 ?
> Yes RHEL6.3 plain.
> >
> > Can you check if the use has the attribute sambaPwdMustChange set ?
> No not anywhere. See above (sambaPwdLastSet).

Ok perfect, this means it is not used (as I thought) and was deprecated.
(Dmitri this means we do not need to track)

> > Apparently the IPA passoword plugin does not touch it.
> No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it?

It should and we have code in the 2.2 and 3.0 branches to do it.
I wonder if we have a bug in the RHEL6.3 version, if you can do the test
above we can try to narrow down what's happening.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to