Resending it to the right list. :) Not my evening.

On Tue, 28 Apr 2015, Alexander Bokovoy wrote:
On Tue, 28 Apr 2015, Christopher Lamb wrote:

Hi All

I wish to pick your brains on the attribute sambaPwdLastSet

We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an
old 3.0.0 instance.

We are also running Samba to share files to Windows and OSX users. This
means that all the FreeIPA user accounts have the attribute

If this has the value 0, our users cannot map Samba shares, so we need to
make sure the value is a positive integer.

In an attempt to do this, I modified, adding the attribute to the
takes_params for the class user as follows:

class user(LDAPObject):
 . . .
 takes_params = (
        . . .
          doc=_('Date as an integer when the samba password was last set'
      . . .

This works fine if I create a user via the CLI.

However if I create a user via the Web UI, or use the Web UI to reset a
user's password, then the attribute sambaPwdLastSet is set to zero.

So what scripts do I need to change to make sure the Web UI sets
sambaPwdLast Set to a positive value? (I don't want to run ldapmodify
scripts, or have to use Apache Directory Studio to hack the db..)

Or is there an altogether better approach to handling this field?
Yes, there is.

Given that you are running FreeIPA 4.1, you now can use SSSD as your
libwbclient provider to be able to run Samba on IPA client against IPA
database. There will be no dependency on sambaPwdLastSet anymore.


This approach requires Fedora 21 or RHEL 7.1 / CentOS 7.1 on the IPA
client. It does not work though with non-Kerberos (NTLM) logins.

However, if you insist on using sambaPwdLastSet attribute, then user
password change rule is applying:

- if admin changes user password, sambaPwdLastSet is cleared to 0 to
 force users to change their passwords also via Samba

If user changes the password him/herself, sambaPwdLastSet is set to the
current time (i.e. not 0).

This really goes into enforcing privacy of user passwords -- if admins
change user passwords, the password is not really secret anymore and
cannot be considered secure, so it is only used once.

See also and

/ Alexander Bokovoy

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to