Hi Rob

The users do have the sambaSamAccount ObjectClass.

Or to be more precise, some have sambasamaccount (all lower case), and some
have sambaSAMAccount (mixed case)

Are objectclasses case sensitive?


From:   Rob Crittenden <rcrit...@redhat.com>
To:     Christopher Lamb/Switzerland/IBM@IBMCH, Alexander Bokovoy
Cc:     freeipa-users@redhat.com
Date:   20.07.2015 15:47
Subject:        Re: [Freeipa-users] FreeIPA and sambaPwdLastSet

Christopher Lamb wrote:
> Hi Alexander
> This issue got overtaken by others, and slipped off my radar for a bit...
> While the solution suggested earlier in this thread at
> sounds interesting (and we are running the correct versions of OEL 7.1
> SSSD), it seems to require the Windows clients to be members of an Active
> Diretory trusted by IPA.
> Unfortunately there is no AD in our architecture - our Windows and OSX
> clients are effectively islands. That would seem to leave us stuck with
> sambaPwdLastSet.
> After a user has had his password reset via the IPA WebUi to a temporary
> value, the user then logs on using the temporary password, and is asked
> enter a new password. At his point sambaPwdLastSet should be set to a
> positive value. However our testing indicates that it is not. We have
> 3 techniques:
> 1) User connects to LDAP server via remote ssh.
> 2) kinit <user>
> 3) su - <user> over an existing ssh session with another user (e.g. mine)
> In all three cases the user is able to set their password, but
> sambaPwdLastSet remains set to 0.
> As a workaround we use Apache Directory Studio to manually set
> sambaPwdLastSet once the user has changed his password.
> Chris

AFAICT the user needs the sambaSamAccount objectclass in order for this
to work. Is that the case?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to