Am 15.10.2012 15:50, schrieb Simo Sorce: > On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: >> Am 14.10.2012 23:14, schrieb Simo Sorce: >>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: >>> Right I am ok with sambaPwdMustChange not being set. That's all good. >>> What about sambaPwdLastSet ? >> Not set when a user is created new. > It should be set when you give the user a password as long at the > sambaSamAccount objectclass is added to the user. > >> When I change the password: >> sambaPwdLastSet: 0 > If this is when you set the password as an admin, it is expected. Ok, understood. But it should change when the user resets his/her password, right? And that is not happening. When the user sets his/her password the sambaPwdLastSet stays untouched. > >> Not working with samba! >> Need to apply my script (see below). > Let me ask one thing, are you changing the password as a user ? > Or have you tested only setting the password as admin ? I set the initial password as admin. Then the user logs in to a server (sssd, ssh, ipa-member) and is requested to change his/her password. This works but the sambaPwdLastSet stays untouched. > > If the latter this applies: > http://www.freeipa.org/page/NewPasswordsExpired Checked it. But that was my understanding nevertheless. > > I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > > > Simo. > # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign ------------------- Added user "tuser2" ------------------- User login: tuser2 First name: Test Last name: User2 Full name: Test User2 Display name: Test User2 Initials: TU Home directory: /home/tuser2 GECOS field: Test User2 Login shell: /bin/false Kerberos principal: tus...@cl.atix UID: 473000078 GID: 473000078 Password: False Kerberos keys available: False # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" sambaSID SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaSID: S-1-5-21-xx-xx-xx-assign
The following objectclasses are being set when creating a new user: # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" objectClass SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: sambaSAMAccount objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry Thanks for your help Marc. -- Marc Grimme E-Mail: grimme( at )atix.de _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users