Am 12.10.2012 16:19, schrieb Simo Sorce:
> On Fri, 2012-10-12 at 13:20 +0200, Marc Grimme wrote:
>> Am 11.10.2012 18:12, schrieb Simo Sorce:
>>> On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote:
>>>> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote:
>>>> No they are integrated in the Kerberos Domain of IPA but not joined to 
>>>> the samba domain.
>>>>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? 
>>> Yes, you should use "ldap passwd sync = only"
>> Ok, I set it as suggested.
>>>> Further testing.
>>>> I have a user called tuser.
>>>> 1. Reset the password:
>>>> ipaserver1 # ipa passwd tuser
>>>> New Password:
>>>> Enter New Password again to verify:
>>>> ------------------------------------
>>>> Changed password for "tu...@cl.atix"
>>>> ------------------------------------
>>>> 2. Login to another server via ssh:
>>>> $ ssh tuser@methusalix2
>>>> tuser@methusalix2's password:
>>>> Password expired. Change your password now.
>>>> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138
>>>> WARNING: Your password has expired.
>>>> You must change your password now and login again!
>>>> Changing password for user tuser.
>>>> Current Password:
>>>> New password:
>>>> Retype new password:
>>>> passwd: all authentication tokens updated successfully.
>>>> Connection to methusalix2 closed.
>>>> $ ssh tuser@methusalix2
>>>> tuser@methusalix2's password:
>>>> Permission denied, please try again.
>>>> tuser@methusalix2's password:
>>>> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138
>>>> -bash-4.1$
>>>> => SSH Login works (Kerberos PW is set).
>>>> 3. Let's browse Samba:
>>>> $ smbclient -U tuser -L methusalix2
>>>> Enter tuser's password:
>>>> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
>>>>
>>>> Any ideas what's going wrong?
>>> Uhmm seem one of the samba attributes has not been properly changed ...
>> Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set
>> (=0).
>> I adapted it on a few users and the problem with the
>> NT_STATUS_PASSWORD_MUST_CHANGE went away.
>> Still the problem is what happens when they change their password again.
>> It looks like ldap passwd sync=yes should normally keep track of that.
>> Any ideas how I can get that running?
> As far as I can see our code does set sambaPwdLastset as well (exactly
> to avoid samba complain about must set).
>
> Can you do a test password change an dverify if we always fail to set
> it ? And what are the values before/after the attempt (in either case) ?
After me switching to
ldap passwd sync = only
I cannot see it changing the values if already set.
But for new users it might not be set. As I have some without these
attributes set.
If I create a new user (say tuser2) as follows:
# ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
--addattr=sambaSID=S-1-5-21-1310149461-105972258-15305
-------------------
Added user "tuser2"
-------------------
  User login: tuser2
  First name: Test
  Last name: User2
  Full name: Test User2
  Display name: Test User2
  Initials: TU
  Home directory: /home/tuser2
  GECOS field: Test User2
  Login shell: /bin/false
  Kerberos principal: tus...@cl.atix
  UID: 473000074
  GID: 473000074
  Password: False
  Kerberos keys available: False
# ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
sambaPwdMustChange
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix

That attribute is not set.
Then I'll set a temporary password:

# ipa passwd tuser2
New Password:
Enter New Password again to verify:
-------------------------------------
Changed password for "tus...@cl.atix"
-------------------------------------

I'll change the temporary password:

$ ssh tuser2@methusalix2
tuser2@methusalix2's password:
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuser2.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to methusalix2 closed.

I can login via ssh:
$ ssh  tuser2@methusalix2
tuser2@methusalix2's password:
Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix

And the ldap attribute is still not set:
# ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
sambaPwdMustChange
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix

So the access via samba fails:
$ smbclient -U tuser2 -L methusalix2 -D ATIX2
Enter tuser2's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

When I fix the attribute manually:
# bash ~/add-sambapwdlastset2user.sh tuser2
Wrong value. Modifying to proper one..
SASL/GSSAPI authentication started
SASL username: ad...@cl.atix
SASL SSF: 56
SASL data security layer installed.
modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"

I can access samba as follows:
smbclient -U tuser2 -L methusalix2 -D ATIX2
Enter tuser2's password:
Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6]

    Sharename       Type      Comment
..

So the initial setup seems to be the problem, right?

Besides:
It also looks like the Distributed Numerica Assignment Plugin seems to
be not working. As I always have to manually specify the SID of the user:
ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
--addattr=sambaSID=S-1-5-21-1310149461-105972258-15305

Although my configurations looks ok, doesn't it?
# ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W
Enter LDAP Password:
dn: cn=SambaSid,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnaprefix: S-1-5-21-1310149461-105972258-
dnainterval: 1
dnamagicregen: assign
dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
dnascope: dc=atix,dc=cl
cn: SambaSid
dnanextvalue: 15400

Thanks Marc.
>
>> You also mentioned that one can use ldappasswd to get Samba to change
>> the passwords per user.
>> How should this be done?
>> passwd program = /usr/bin/ldappasswd ??
> Samba use the ldappasswd control when you set ldap passwd sync = only
> Nothing else is required
Ok. That's my understanding as well.
>
>>> This is IPA on RHEL6.3 ?
>> Yes RHEL6.3 plain.
>>> Can you check if the use has the attribute sambaPwdMustChange set ?
>> No not anywhere. See above (sambaPwdLastSet).
> Ok perfect, this means it is not used (as I thought) and was deprecated.
> (Dmitri this means we do not need to track)
>
>>> Apparently the IPA passoword plugin does not touch it.
>> No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it?
> It should and we have code in the 2.2 and 3.0 branches to do it.
> I wonder if we have a bug in the RHEL6.3 version, if you can do the test
> above we can try to narrow down what's happening.
>
> Simo.
>


-- 

Marc Grimme

Tel: +49 (0)89 452 35 38-140
Fax: +49 (0)89 452 35 38-290 
E-Mail: gri...@atix.de

ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 |
85716 Unterschleissheim | www.atix.de | www.comoonics.org

Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: 
DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) |
Vorsitzender des Aufsichtsrats: Dr. Martin Buss

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to