Hi Alexander

This issue got overtaken by others, and slipped off my radar for a bit...

While the solution suggested earlier in this thread at
sounds interesting (and we are running the correct versions of OEL 7.1 and
SSSD), it seems to require the Windows clients to be members of an Active
Diretory trusted by IPA.

Unfortunately there is no AD in our architecture - our Windows and OSX
clients are effectively islands. That would seem to leave us stuck with

After a user has had his password reset via the IPA WebUi to a temporary
value, the user then logs on using the temporary password, and is asked to
enter a new password. At his point sambaPwdLastSet should be set to a
positive value. However our testing indicates that it is not. We have tried
3 techniques:

1) User connects to LDAP server via remote ssh.

2) kinit <user>

3) su - <user> over an existing ssh session with another user (e.g. mine)

In all three cases the user is able to set their password, but
sambaPwdLastSet remains set to 0.

As a workaround we use Apache Directory Studio to manually set
sambaPwdLastSet once the user has changed his password.


From:   Alexander Bokovoy <aboko...@redhat.com>
To:     Christopher Lamb/Switzerland/IBM@IBMCH
Date:   28.04.2015 20:37
Subject:        Re: [Freeipa-users] FreeIPA and sambaPwdLastSet

On Tue, 28 Apr 2015, Christopher Lamb wrote:
>Hi Alexander
>one of those days?
>I have just snapshotted the VM running FreeIPA, and will give your
>suggestion a whirl, and then report back to the list.
>I am running both FreeIPA and Samba on the same VM, which should make
>things easier.
>All the bits required are either already installed or in the yum repo, so
>am ready to go...
Here is the problem. In the case of Samba running on IPA master you
really really want to use freeipa-server-trust-ad (or
ipa-server-trust-ad in RHEL/CentOS) package and use ipa-adtrust-install
to configure it.

We have done a lot of work to make sure IPA masters can work as 'AD DCs'
of sorts for cross-forest trusts to Active Directory. Part of it
includes specialized PDB module (ipasam) and appropriate management
around it. The solution about using SSSD libwbclient parts is built
around that too -- you are expected to configure your IPA masters with
ipa-adtrust-install and then run Samba file server on an IPA client with

If you want to have shares on IPA master directly, all you need to do is
to run ipa-adtrust-install to configure Samba and then use 'net conf
addshare' to configure shares. Using 'net conf' is a key here because we
use registry to store smb.conf and things in /etc/samba/smb.conf will be

See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html
for examples.

>Must get off the train now ...
>From:           Alexander Bokovoy <aboko...@redhat.com>
>To:             Christopher Lamb/Switzerland/IBM@IBMCH
>Cc:             freeipa-users@redhat.com
>Date:           28.04.2015 20:11
>Subject:                Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
>Resending it to the right list. :) Not my evening.
>On Tue, 28 Apr 2015, Alexander Bokovoy wrote:
>>On Tue, 28 Apr 2015, Christopher Lamb wrote:
>>>Hi All
>>>I wish to pick your brains on the attribute sambaPwdLastSet
>>>We have a newly setup FreeIPA 4.1.0, with users and groups migrated from
>>>old 3.0.0 instance.
>>>We are also running Samba to share files to Windows and OSX users. This
>>>means that all the FreeIPA user accounts have the attribute
>>>If this has the value 0, our users cannot map Samba shares, so we need
>>>make sure the value is a positive integer.
>>>In an attempt to do this, I modified user.py, adding the attribute to
>>>takes_params for the class user as follows:
>>>class user(LDAPObject):
>>>  . . .
>>>  takes_params = (
>>>                               . . .
>>>                                  Int('sambapwdlastset?',
>>>           label=_('sambaPwdLastSet'),
>>>           doc=_('Date as an integer when the samba password was last
>>>           default=1,
>>>           autofill=True,
>>>       ),
>>>       . . .
>>>This works fine if I create a user via the CLI.
>>>However if I create a user via the Web UI, or use the Web UI to reset a
>>>user's password, then the attribute sambaPwdLastSet is set to zero.
>>>So what scripts do I need to change to make sure the Web UI sets
>>>sambaPwdLast Set to a positive value? (I don't want to run ldapmodify
>>>scripts, or have to use Apache Directory Studio to hack the db..)
>>>Or is there an altogether better approach to handling this field?
>>Yes, there is.
>>Given that you are running FreeIPA 4.1, you now can use SSSD as your
>>libwbclient provider to be able to run Samba on IPA client against IPA
>>database. There will be no dependency on sambaPwdLastSet anymore.
>>This approach requires Fedora 21 or RHEL 7.1 / CentOS 7.1 on the IPA
>>client. It does not work though with non-Kerberos (NTLM) logins.
>>However, if you insist on using sambaPwdLastSet attribute, then user
>>password change rule is applying:
>>- if admin changes user password, sambaPwdLastSet is cleared to 0 to
>>  force users to change their passwords also via Samba
>>If user changes the password him/herself, sambaPwdLastSet is set to the
>>current time (i.e. not 0).
>>This really goes into enforcing privacy of user passwords -- if admins
>>change user passwords, the password is not really secret anymore and
>>cannot be considered secure, so it is only used once.
>>See also https://www.freeipa.org/page/Self-Service_Password_Reset and
>>/ Alexander Bokovoy
>/ Alexander Bokovoy

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to