On Mon, 20 Jul 2015, Rob Crittenden wrote:
Christopher Lamb wrote:
Hi Alexander

This issue got overtaken by others, and slipped off my radar for a bit...

While the solution suggested earlier in this thread at
sounds interesting (and we are running the correct versions of OEL 7.1 and
SSSD), it seems to require the Windows clients to be members of an Active
Diretory trusted by IPA.

Unfortunately there is no AD in our architecture - our Windows and OSX
clients are effectively islands. That would seem to leave us stuck with

After a user has had his password reset via the IPA WebUi to a temporary
value, the user then logs on using the temporary password, and is asked to
enter a new password. At his point sambaPwdLastSet should be set to a
positive value. However our testing indicates that it is not. We have tried
3 techniques:

1) User connects to LDAP server via remote ssh.

2) kinit <user>

3) su - <user> over an existing ssh session with another user (e.g. mine)

In all three cases the user is able to set their password, but
sambaPwdLastSet remains set to 0.

As a workaround we use Apache Directory Studio to manually set
sambaPwdLastSet once the user has changed his password.


AFAICT the user needs the sambaSamAccount objectclass in order for this to work. Is that the case?
Yes, exactly.

This object class is not used by IPA integration with Samba, so we don't
give it to users by default. The code in IPA password plugin checks if
there is an object class named SambaSamAccount on the user entry and
then manipulates sambaPwdLastSet as required.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to