Hi Rob

The users do have the sambaSamAccount ObjectClass.

Or to be more precise, some have sambasamaccount (all lower case), and some
have sambaSAMAccount (mixed case)

Are objectclasses case sensitive?

Chris



From:   Rob Crittenden <rcrit...@redhat.com>
To:     Christopher Lamb/Switzerland/IBM@IBMCH, Alexander Bokovoy
            <aboko...@redhat.com>
Cc:     freeipa-users@redhat.com
Date:   20.07.2015 15:47
Subject:        Re: [Freeipa-users] FreeIPA and sambaPwdLastSet



Christopher Lamb wrote:
> Hi Alexander
>
> This issue got overtaken by others, and slipped off my radar for a bit...
>
> While the solution suggested earlier in this thread at
>
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
> sounds interesting (and we are running the correct versions of OEL 7.1
and
> SSSD), it seems to require the Windows clients to be members of an Active
> Diretory trusted by IPA.
>
> Unfortunately there is no AD in our architecture - our Windows and OSX
> clients are effectively islands. That would seem to leave us stuck with
> sambaPwdLastSet.
>
> After a user has had his password reset via the IPA WebUi to a temporary
> value, the user then logs on using the temporary password, and is asked
to
> enter a new password. At his point sambaPwdLastSet should be set to a
> positive value. However our testing indicates that it is not. We have
tried
> 3 techniques:
>
> 1) User connects to LDAP server via remote ssh.
>
> 2) kinit <user>
>
> 3) su - <user> over an existing ssh session with another user (e.g. mine)
>
> In all three cases the user is able to set their password, but
> sambaPwdLastSet remains set to 0.
>
> As a workaround we use Apache Directory Studio to manually set
> sambaPwdLastSet once the user has changed his password.
>
> Chris

AFAICT the user needs the sambaSamAccount objectclass in order for this
to work. Is that the case?

rob




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to