Zach Musselman wrote:
My company is having issues with our current install of IPA on RHEL 6.4.
** We had group patches that worked with IPA 2.2.0 and allowed us to
enter samba groups directly in the IPA web interface. Red Hat is unable
to confirm these patches are updated for IPA 3.0 RHEL 6.4 even though
their Red Hat consultant created these a year ago.
I'm not clear what you mean by updated for IPA 3.0. Are you asking the
patches to be rebased?
It is also unclear if things were working properly with 2.2.0 and broke
with 3.0, or if these things never worked, or something else.
** IPA password policy (history, length, complexity, etc.) enforcement
Our current versions are not allowing the IPA password policy to work
with Samba. My Windows users are able to change their password either
MANUALLY or WHEN FORCED to reset via the IPA interface. However, non of
the password history, length, complexity and so on are enforced with
Samba and users are able to either keep the same password or change it
to anything they want without restrictions.
Can you be more specific about where the password changes are happening?
What do mean by manually? Changing it via the UI should apply password
policy because that is really independent of any Samba changes that have
** Samba password change also changing correctly the IPA expiration date
so IPA can successfully reset the (sambaPwdLastSet: 0) value upon 90
days since last password change
If we manually run ldapmodify and change the value of sambaPwdLastSet to
equal 0, this correctly forces the end user to change their password in
The issue though is their IPA password expiration date listed in the
interface isn't correctly showing the amount of days to expire NEXT. I
have a test user that has a password policy of 1 day expiration. I
would expect this user to show an expiration date of the next day after
password change but for some reason it always keeps showing about 90
days out, which is my default policy for all users.
I need to be able to test that IPA is correctly expiring the password
after 1 day so that I know in 90 days my other users will receive the
For most of this year password expiration was not working and IPA is
showing a password expiration of months ago when their password should
have expired (samba never prompted for this change). Since we updated
to IPA 3.0, I'm hoping that when I reset their sambaPwdLastSet to 0 that
IPA will start enforcing a 90 day expiration again.
I don't really know much about how Windows/Samba does password
expiration, but IPA has no process to look at the last set date, compare
that to the policy, and reset sambaPwdLastSet. Is that what you're
Any help you can provide on these issues would be greatly appreciated!
Also, what would you recommend for future IPA versions and Samba? Will
RHEL 6.5 include a newer version of IPA that will work and integrate
better with Samba? Or should we start looking at other options that
integrate our password features more as they are needed, like Samba 4?
There are no Samba integration changes made that I know of.
Freeipa-users mailing list