having done some more experimentation with creating users, changing
passwords, and the attribute sambaPwdLast set, it is time to reactivate
this old thread.

I have a newly setup FreeIPA 4.1 Server configured with the "good old"
Samba schema extensions for FreeIPA.

I have established the following:

1) user created via CLI with no initial password given:

# ipa user-add usr1--first=Aunt --last=Agatha
# ipa group-add-member smbgrp --users=usr1

--> The user has neither the smbPwdLastSet nor sambaNTPassword attributes

--> NOT OK

2) Now set an initial pwd for the same user

# ipa user-mod usr1 --password

--> The user has sambaNTPassword, but NOT smbPwdLastSet

3) user created via CLI with  initial password given:

# ipa user-add usr2--first=Bertie --last=Wooster
# ipa group-add-member smbgrp --users=usr2

--> The user has both the smbPwdLastSet nor sambaNTPassword attributes.

smbPwdLastSet = 0 --> OK

4) Now let usr2 set his real password:

# su usr2
# kinit usr2

--> The user has both the smbPwdLastSet nor sambaNTPassword attributes.

smbPwdLastSet remains = 0 --> NOT OK, smbPwdLastSet should now be a

positive number!

At this stage usr2 cannot access Samba shares. Of course, I can use an LDAP

browser or CLI commands to set smbPwdLastSet=1, but that is easily


The next test (result still open) is to set what happens with smbPwdLastSet

on password expiry. To do this I have created a fast expiring password

group policy, added usr2 to that group, and then let usr2 change his

password to ensure the new policy is active.

# ipa group-add fastexpire --desc="group with a fast expiring pwd policy"
# ipa group-add-member fastexpire --users=usr2
# ipa pwpolicy-add fastexpire --minlife=0 --maxlife=1 --history=1
# su usr2
# ipa user-mod usr2 --password

Results of this test tomorrow ....


From:   Alexander Bokovoy <aboko...@redhat.com>
To:     Rob Crittenden <rcrit...@redhat.com>
Cc:     Christopher Lamb/Switzerland/IBM@IBMCH,
Date:   20.07.2015 15:52
Subject:        Re: [Freeipa-users] FreeIPA and sambaPwdLastSet

On Mon, 20 Jul 2015, Rob Crittenden wrote:
>Christopher Lamb wrote:
>>Hi Alexander
>>This issue got overtaken by others, and slipped off my radar for a bit...
>>While the solution suggested earlier in this thread at
>>sounds interesting (and we are running the correct versions of OEL 7.1
>>SSSD), it seems to require the Windows clients to be members of an Active
>>Diretory trusted by IPA.
>>Unfortunately there is no AD in our architecture - our Windows and OSX
>>clients are effectively islands. That would seem to leave us stuck with
>>After a user has had his password reset via the IPA WebUi to a temporary
>>value, the user then logs on using the temporary password, and is asked
>>enter a new password. At his point sambaPwdLastSet should be set to a
>>positive value. However our testing indicates that it is not. We have
>>3 techniques:
>>1) User connects to LDAP server via remote ssh.
>>2) kinit <user>
>>3) su - <user> over an existing ssh session with another user (e.g. mine)
>>In all three cases the user is able to set their password, but
>>sambaPwdLastSet remains set to 0.
>>As a workaround we use Apache Directory Studio to manually set
>>sambaPwdLastSet once the user has changed his password.
>AFAICT the user needs the sambaSamAccount objectclass in order for
>this to work. Is that the case?
Yes, exactly.

This object class is not used by IPA integration with Samba, so we don't
give it to users by default. The code in IPA password plugin checks if
there is an object class named SambaSamAccount on the user entry and
then manipulates sambaPwdLastSet as required.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to