On 10/16/2012 05:21 AM, Simo Sorce wrote:
On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote:
Am 15.10.2012 15:50, schrieb Simo Sorce:
On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote:
Am 14.10.2012 23:14, schrieb Simo Sorce:
On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
Right I am ok with sambaPwdMustChange not being set. That's all good.
What about sambaPwdLastSet ?
Not set when a user is created new.
It should be set when you give the user a password as long at the
sambaSamAccount objectclass is added to the user.

When I change the password:
sambaPwdLastSet: 0
If this is when you set the password as an admin, it is expected.
Ok, understood. But it should change when the user resets his/her
password, right?
And that is not happening.
When the user sets his/her password the sambaPwdLastSet stays untouched.
That's odd, how does the user change the password ?

Not working with samba!
Need to apply my script (see below).
Let me ask one thing, are you changing the password as a user ?
Or have you tested only setting the password as admin ?
I set  the initial password as admin.
Then the user logs in to a server (sssd, ssh, ipa-member) and is
requested to change his/her password. This works but the sambaPwdLastSet
stays untouched.
Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ?

If the latter this applies:
http://www.freeipa.org/page/NewPasswordsExpired
Checked it. But that was my understanding nevertheless.
I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign


Simo.

# ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
--setattr=SambaSID=S-1-5-21-xx-xx-xx-assign
-------------------
Added user "tuser2"
-------------------
   User login: tuser2
   First name: Test
   Last name: User2
   Full name: Test User2
   Display name: Test User2
   Initials: TU
   Home directory: /home/tuser2
   GECOS field: Test User2
   Login shell: /bin/false
   Kerberos principal: tus...@cl.atix
   UID: 473000078
   GID: 473000078
   Password: False
   Kerberos keys available: False
# ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
sambaSID
SASL/GSSAPI authentication started
SASL username: ad...@cl.atix
SASL SSF: 56
SASL data security layer installed.
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
sambaSID: S-1-5-21-xx-xx-xx-assign

The following objectclasses are being set when creating a new user:
# ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
objectClass
SASL/GSSAPI authentication started
SASL username: ad...@cl.atix
SASL SSF: 56
SASL data security layer installed.
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: sambaSAMAccount
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry

Thanks for your help
Seem like a DNA bug ... then,

Nathan do you have any idea ?
What DNA configuration is used?

-NGK


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to