Resending it to the right list. :) Not my evening. On Tue, 28 Apr 2015, Alexander Bokovoy wrote:
On Tue, 28 Apr 2015, Christopher Lamb wrote:Hi All I wish to pick your brains on the attribute sambaPwdLastSet We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an old 3.0.0 instance. We are also running Samba to share files to Windows and OSX users. This means that all the FreeIPA user accounts have the attribute sambaPwdLastSet. If this has the value 0, our users cannot map Samba shares, so we need to make sure the value is a positive integer. In an attempt to do this, I modified user.py, adding the attribute to the takes_params for the class user as follows: class user(LDAPObject): . . . takes_params = ( . . . Int('sambapwdlastset?', label=_('sambaPwdLastSet'), doc=_('Date as an integer when the samba password was last set' ), default=1, autofill=True, ), . . . This works fine if I create a user via the CLI. However if I create a user via the Web UI, or use the Web UI to reset a user's password, then the attribute sambaPwdLastSet is set to zero. So what scripts do I need to change to make sure the Web UI sets sambaPwdLast Set to a positive value? (I don't want to run ldapmodify scripts, or have to use Apache Directory Studio to hack the db..) Or is there an altogether better approach to handling this field?Yes, there is. Given that you are running FreeIPA 4.1, you now can use SSSD as your libwbclient provider to be able to run Samba on IPA client against IPA database. There will be no dependency on sambaPwdLastSet anymore. See http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA This approach requires Fedora 21 or RHEL 7.1 / CentOS 7.1 on the IPA client. It does not work though with non-Kerberos (NTLM) logins. However, if you insist on using sambaPwdLastSet attribute, then user password change rule is applying: - if admin changes user password, sambaPwdLastSet is cleared to 0 to force users to change their passwords also via Samba If user changes the password him/herself, sambaPwdLastSet is set to the current time (i.e. not 0). This really goes into enforcing privacy of user passwords -- if admins change user passwords, the password is not really secret anymore and cannot be considered secure, so it is only used once. See also https://www.freeipa.org/page/Self-Service_Password_Reset and https://www.freeipa.org/page/New_Passwords_Expired -- / Alexander Bokovoy
-- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
