Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Hi having done some more experimentation with creating users, changing passwords, and the attribute sambaPwdLast set, it is time to reactivate this old thread. I have a newly setup FreeIPA 4.1 Server configured with the "good old" Samba schema extensions for FreeIPA. I have established the following: 1) user created via CLI with no initial password given: # ipa user-add usr1--first=Aunt --last=Agatha # ipa group-add-member smbgrp --users=usr1 --> The user has neither the smbPwdLastSet nor sambaNTPassword attributes --> NOT OK 2) Now set an initial pwd for the same user # ipa user-mod usr1 --password --> The user has sambaNTPassword, but NOT smbPwdLastSet 3) user created via CLI with initial password given: # ipa user-add usr2--first=Bertie --last=Wooster # ipa group-add-member smbgrp --users=usr2 --> The user has both the smbPwdLastSet nor sambaNTPassword attributes. smbPwdLastSet = 0 --> OK 4) Now let usr2 set his real password: # su usr2 # kinit usr2 --> The user has both the smbPwdLastSet nor sambaNTPassword attributes. smbPwdLastSet remains = 0 --> NOT OK, smbPwdLastSet should now be a positive number! At this stage usr2 cannot access Samba shares. Of course, I can use an LDAP browser or CLI commands to set smbPwdLastSet=1, but that is easily forgotten. The next test (result still open) is to set what happens with smbPwdLastSet on password expiry. To do this I have created a fast expiring password group policy, added usr2 to that group, and then let usr2 change his password to ensure the new policy is active. # ipa group-add fastexpire --desc="group with a fast expiring pwd policy" # ipa group-add-member fastexpire --users=usr2 # ipa pwpolicy-add fastexpire --minlife=0 --maxlife=1 --history=1 --priority=1 # su usr2 # ipa user-mod usr2 --password Results of this test tomorrow Chris From: Alexander Bokovoy To: Rob Crittenden Cc: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Date: 20.07.2015 15:52 Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet On Mon, 20 Jul 2015, Rob Crittenden wrote: >Christopher Lamb wrote: >>Hi Alexander >> >>This issue got overtaken by others, and slipped off my radar for a bit... >> >>While the solution suggested earlier in this thread at >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >>sounds interesting (and we are running the correct versions of OEL 7.1 and >>SSSD), it seems to require the Windows clients to be members of an Active >>Diretory trusted by IPA. >> >>Unfortunately there is no AD in our architecture - our Windows and OSX >>clients are effectively islands. That would seem to leave us stuck with >>sambaPwdLastSet. >> >>After a user has had his password reset via the IPA WebUi to a temporary >>value, the user then logs on using the temporary password, and is asked to >>enter a new password. At his point sambaPwdLastSet should be set to a >>positive value. However our testing indicates that it is not. We have tried >>3 techniques: >> >>1) User connects to LDAP server via remote ssh. >> >>2) kinit >> >>3) su - over an existing ssh session with another user (e.g. mine) >> >>In all three cases the user is able to set their password, but >>sambaPwdLastSet remains set to 0. >> >>As a workaround we use Apache Directory Studio to manually set >>sambaPwdLastSet once the user has changed his password. >> >>Chris > >AFAICT the user needs the sambaSamAccount objectclass in order for >this to work. Is that the case? Yes, exactly. This object class is not used by IPA integration with Samba, so we don't give it to users by default. The code in IPA password plugin checks if there is an object class named SambaSamAccount on the user entry and then manipulates sambaPwdLastSet as required. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambaSamAccount)(uid=bilbo))" and ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambaSAMAccount)(uid=bilbo))" and ldapsearch -x -h localhost -p 389 -b "dc=my,dc=silly,dc=example,dc=com" "(&(objectClass=sambasamaccount)(uid=bilbo))" all give me a result, indicating case is not important. From: Rich Megginson To: freeipa-users@redhat.com Date: 20.07.2015 16:24 Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet Sent by:freeipa-users-boun...@redhat.com On 07/20/2015 07:56 AM, Christopher Lamb wrote: > Hi Rob > > The users do have the sambaSamAccount ObjectClass. > > Or to be more precise, some have sambasamaccount (all lower case), and some > have sambaSAMAccount (mixed case) > > Are objectclasses case sensitive? No, unless there is a bug in the objectclass matching/comparison code. > > Chris > > > > From: Rob Crittenden > To:Christopher Lamb/Switzerland/IBM@IBMCH, Alexander Bokovoy > > Cc: freeipa-users@redhat.com > Date: 20.07.2015 15:47 > Subject: Re: [Freeipa-users] FreeIPA and sambaPwdLastSet > > > > Christopher Lamb wrote: >> Hi Alexander >> >> This issue got overtaken by others, and slipped off my radar for a bit... >> >> While the solution suggested earlier in this thread at >> > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> sounds interesting (and we are running the correct versions of OEL 7.1 > and >> SSSD), it seems to require the Windows clients to be members of an Active >> Diretory trusted by IPA. >> >> Unfortunately there is no AD in our architecture - our Windows and OSX >> clients are effectively islands. That would seem to leave us stuck with >> sambaPwdLastSet. >> >> After a user has had his password reset via the IPA WebUi to a temporary >> value, the user then logs on using the temporary password, and is asked > to >> enter a new password. At his point sambaPwdLastSet should be set to a >> positive value. However our testing indicates that it is not. We have > tried >> 3 techniques: >> >> 1) User connects to LDAP server via remote ssh. >> >> 2) kinit >> >> 3) su - over an existing ssh session with another user (e.g. mine) >> >> In all three cases the user is able to set their password, but >> sambaPwdLastSet remains set to 0. >> >> As a workaround we use Apache Directory Studio to manually set >> sambaPwdLastSet once the user has changed his password. >> >> Chris > AFAICT the user needs the sambaSamAccount objectclass in order for this > to work. Is that the case? > > rob > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
On 07/20/2015 07:56 AM, Christopher Lamb wrote: Hi Rob The users do have the sambaSamAccount ObjectClass. Or to be more precise, some have sambasamaccount (all lower case), and some have sambaSAMAccount (mixed case) Are objectclasses case sensitive? No, unless there is a bug in the objectclass matching/comparison code. Chris From: Rob Crittenden To: Christopher Lamb/Switzerland/IBM@IBMCH, Alexander Bokovoy Cc: freeipa-users@redhat.com Date: 20.07.2015 15:47 Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet Christopher Lamb wrote: Hi Alexander This issue got overtaken by others, and slipped off my radar for a bit... While the solution suggested earlier in this thread at http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA sounds interesting (and we are running the correct versions of OEL 7.1 and SSSD), it seems to require the Windows clients to be members of an Active Diretory trusted by IPA. Unfortunately there is no AD in our architecture - our Windows and OSX clients are effectively islands. That would seem to leave us stuck with sambaPwdLastSet. After a user has had his password reset via the IPA WebUi to a temporary value, the user then logs on using the temporary password, and is asked to enter a new password. At his point sambaPwdLastSet should be set to a positive value. However our testing indicates that it is not. We have tried 3 techniques: 1) User connects to LDAP server via remote ssh. 2) kinit 3) su - over an existing ssh session with another user (e.g. mine) In all three cases the user is able to set their password, but sambaPwdLastSet remains set to 0. As a workaround we use Apache Directory Studio to manually set sambaPwdLastSet once the user has changed his password. Chris AFAICT the user needs the sambaSamAccount objectclass in order for this to work. Is that the case? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Hi Rob The users do have the sambaSamAccount ObjectClass. Or to be more precise, some have sambasamaccount (all lower case), and some have sambaSAMAccount (mixed case) Are objectclasses case sensitive? Chris From: Rob Crittenden To: Christopher Lamb/Switzerland/IBM@IBMCH, Alexander Bokovoy Cc: freeipa-users@redhat.com Date: 20.07.2015 15:47 Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet Christopher Lamb wrote: > Hi Alexander > > This issue got overtaken by others, and slipped off my radar for a bit... > > While the solution suggested earlier in this thread at > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > sounds interesting (and we are running the correct versions of OEL 7.1 and > SSSD), it seems to require the Windows clients to be members of an Active > Diretory trusted by IPA. > > Unfortunately there is no AD in our architecture - our Windows and OSX > clients are effectively islands. That would seem to leave us stuck with > sambaPwdLastSet. > > After a user has had his password reset via the IPA WebUi to a temporary > value, the user then logs on using the temporary password, and is asked to > enter a new password. At his point sambaPwdLastSet should be set to a > positive value. However our testing indicates that it is not. We have tried > 3 techniques: > > 1) User connects to LDAP server via remote ssh. > > 2) kinit > > 3) su - over an existing ssh session with another user (e.g. mine) > > In all three cases the user is able to set their password, but > sambaPwdLastSet remains set to 0. > > As a workaround we use Apache Directory Studio to manually set > sambaPwdLastSet once the user has changed his password. > > Chris AFAICT the user needs the sambaSamAccount objectclass in order for this to work. Is that the case? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
On Mon, 20 Jul 2015, Rob Crittenden wrote: Christopher Lamb wrote: Hi Alexander This issue got overtaken by others, and slipped off my radar for a bit... While the solution suggested earlier in this thread at http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA sounds interesting (and we are running the correct versions of OEL 7.1 and SSSD), it seems to require the Windows clients to be members of an Active Diretory trusted by IPA. Unfortunately there is no AD in our architecture - our Windows and OSX clients are effectively islands. That would seem to leave us stuck with sambaPwdLastSet. After a user has had his password reset via the IPA WebUi to a temporary value, the user then logs on using the temporary password, and is asked to enter a new password. At his point sambaPwdLastSet should be set to a positive value. However our testing indicates that it is not. We have tried 3 techniques: 1) User connects to LDAP server via remote ssh. 2) kinit 3) su - over an existing ssh session with another user (e.g. mine) In all three cases the user is able to set their password, but sambaPwdLastSet remains set to 0. As a workaround we use Apache Directory Studio to manually set sambaPwdLastSet once the user has changed his password. Chris AFAICT the user needs the sambaSamAccount objectclass in order for this to work. Is that the case? Yes, exactly. This object class is not used by IPA integration with Samba, so we don't give it to users by default. The code in IPA password plugin checks if there is an object class named SambaSamAccount on the user entry and then manipulates sambaPwdLastSet as required. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Christopher Lamb wrote: Hi Alexander This issue got overtaken by others, and slipped off my radar for a bit... While the solution suggested earlier in this thread at http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA sounds interesting (and we are running the correct versions of OEL 7.1 and SSSD), it seems to require the Windows clients to be members of an Active Diretory trusted by IPA. Unfortunately there is no AD in our architecture - our Windows and OSX clients are effectively islands. That would seem to leave us stuck with sambaPwdLastSet. After a user has had his password reset via the IPA WebUi to a temporary value, the user then logs on using the temporary password, and is asked to enter a new password. At his point sambaPwdLastSet should be set to a positive value. However our testing indicates that it is not. We have tried 3 techniques: 1) User connects to LDAP server via remote ssh. 2) kinit 3) su - over an existing ssh session with another user (e.g. mine) In all three cases the user is able to set their password, but sambaPwdLastSet remains set to 0. As a workaround we use Apache Directory Studio to manually set sambaPwdLastSet once the user has changed his password. Chris AFAICT the user needs the sambaSamAccount objectclass in order for this to work. Is that the case? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Hi Alexander This issue got overtaken by others, and slipped off my radar for a bit... While the solution suggested earlier in this thread at http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA sounds interesting (and we are running the correct versions of OEL 7.1 and SSSD), it seems to require the Windows clients to be members of an Active Diretory trusted by IPA. Unfortunately there is no AD in our architecture - our Windows and OSX clients are effectively islands. That would seem to leave us stuck with sambaPwdLastSet. After a user has had his password reset via the IPA WebUi to a temporary value, the user then logs on using the temporary password, and is asked to enter a new password. At his point sambaPwdLastSet should be set to a positive value. However our testing indicates that it is not. We have tried 3 techniques: 1) User connects to LDAP server via remote ssh. 2) kinit 3) su - over an existing ssh session with another user (e.g. mine) In all three cases the user is able to set their password, but sambaPwdLastSet remains set to 0. As a workaround we use Apache Directory Studio to manually set sambaPwdLastSet once the user has changed his password. Chris From: Alexander Bokovoy To: Christopher Lamb/Switzerland/IBM@IBMCH Date: 28.04.2015 20:37 Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet On Tue, 28 Apr 2015, Christopher Lamb wrote: >Hi Alexander > >one of those days? > >I have just snapshotted the VM running FreeIPA, and will give your >suggestion a whirl, and then report back to the list. > >I am running both FreeIPA and Samba on the same VM, which should make >things easier. > >All the bits required are either already installed or in the yum repo, so I >am ready to go... Here is the problem. In the case of Samba running on IPA master you really really want to use freeipa-server-trust-ad (or ipa-server-trust-ad in RHEL/CentOS) package and use ipa-adtrust-install to configure it. We have done a lot of work to make sure IPA masters can work as 'AD DCs' of sorts for cross-forest trusts to Active Directory. Part of it includes specialized PDB module (ipasam) and appropriate management around it. The solution about using SSSD libwbclient parts is built around that too -- you are expected to configure your IPA masters with ipa-adtrust-install and then run Samba file server on an IPA client with SSSD. If you want to have shares on IPA master directly, all you need to do is to run ipa-adtrust-install to configure Samba and then use 'net conf addshare' to configure shares. Using 'net conf' is a key here because we use registry to store smb.conf and things in /etc/samba/smb.conf will be ignored. See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html for examples. > >Must get off the train now ... > >thanks > >chris > > > >From: Alexander Bokovoy >To: Christopher Lamb/Switzerland/IBM@IBMCH >Cc: freeipa-users@redhat.com >Date: 28.04.2015 20:11 >Subject:Re: [Freeipa-users] FreeIPA and sambaPwdLastSet > > > >Resending it to the right list. :) Not my evening. > >On Tue, 28 Apr 2015, Alexander Bokovoy wrote: >>On Tue, 28 Apr 2015, Christopher Lamb wrote: >>> >>>Hi All >>> >>>I wish to pick your brains on the attribute sambaPwdLastSet >>> >>>We have a newly setup FreeIPA 4.1.0, with users and groups migrated from >an >>>old 3.0.0 instance. >>> >>>We are also running Samba to share files to Windows and OSX users. This >>>means that all the FreeIPA user accounts have the attribute >>>sambaPwdLastSet. >>> >>>If this has the value 0, our users cannot map Samba shares, so we need to >>>make sure the value is a positive integer. >>> >>>In an attempt to do this, I modified user.py, adding the attribute to the >>>takes_params for the class user as follows: >>> >>>class user(LDAPObject): >>> . . . >>> takes_params = ( >>> . . . >>> Int('sambapwdlastset?', >>> label=_('sambaPwdLastSet'), >>> doc=_('Date as an integer when the samba password was last >set' >>>), >>> default=1, >>> autofill=True, >>> ), >>> . . . >>> >>>This works fine if I create a user via the CLI. >>> >>>However if I create a user via the Web UI, or use the Web UI to reset a >>>user's password, then the attribute sambaPwdLastSet is set to zero. >>> >>>So what scripts do I need to change to m
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
Resending it to the right list. :) Not my evening. On Tue, 28 Apr 2015, Alexander Bokovoy wrote: On Tue, 28 Apr 2015, Christopher Lamb wrote: Hi All I wish to pick your brains on the attribute sambaPwdLastSet We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an old 3.0.0 instance. We are also running Samba to share files to Windows and OSX users. This means that all the FreeIPA user accounts have the attribute sambaPwdLastSet. If this has the value 0, our users cannot map Samba shares, so we need to make sure the value is a positive integer. In an attempt to do this, I modified user.py, adding the attribute to the takes_params for the class user as follows: class user(LDAPObject): . . . takes_params = ( . . . Int('sambapwdlastset?', label=_('sambaPwdLastSet'), doc=_('Date as an integer when the samba password was last set' ), default=1, autofill=True, ), . . . This works fine if I create a user via the CLI. However if I create a user via the Web UI, or use the Web UI to reset a user's password, then the attribute sambaPwdLastSet is set to zero. So what scripts do I need to change to make sure the Web UI sets sambaPwdLast Set to a positive value? (I don't want to run ldapmodify scripts, or have to use Apache Directory Studio to hack the db..) Or is there an altogether better approach to handling this field? Yes, there is. Given that you are running FreeIPA 4.1, you now can use SSSD as your libwbclient provider to be able to run Samba on IPA client against IPA database. There will be no dependency on sambaPwdLastSet anymore. See http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA This approach requires Fedora 21 or RHEL 7.1 / CentOS 7.1 on the IPA client. It does not work though with non-Kerberos (NTLM) logins. However, if you insist on using sambaPwdLastSet attribute, then user password change rule is applying: - if admin changes user password, sambaPwdLastSet is cleared to 0 to force users to change their passwords also via Samba If user changes the password him/herself, sambaPwdLastSet is set to the current time (i.e. not 0). This really goes into enforcing privacy of user passwords -- if admins change user passwords, the password is not really secret anymore and cannot be considered secure, so it is only used once. See also https://www.freeipa.org/page/Self-Service_Password_Reset and https://www.freeipa.org/page/New_Passwords_Expired -- / Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
On Tue, 28 Apr 2015, Dmitri Pal wrote: On 04/28/2015 12:17 PM, Christopher Lamb wrote: Hi All I wish to pick your brains on the attribute sambaPwdLastSet We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an old 3.0.0 instance. We are also running Samba to share files to Windows and OSX users. This means that all the FreeIPA user accounts have the attribute sambaPwdLastSet. If this has the value 0, our users cannot map Samba shares, so we need to make sure the value is a positive integer. In an attempt to do this, I modified user.py, adding the attribute to the takes_params for the class user as follows: class user(LDAPObject): . . . takes_params = ( . . . Int('sambapwdlastset?', label=_('sambaPwdLastSet'), doc=_('Date as an integer when the samba password was last set' ), default=1, autofill=True, ), . . . This works fine if I create a user via the CLI. However if I create a user via the Web UI, or use the Web UI to reset a user's password, then the attribute sambaPwdLastSet is set to zero. So what scripts do I need to change to make sure the Web UI sets sambaPwdLast Set to a positive value? (I don't want to run ldapmodify scripts, or have to use Apache Directory Studio to hack the db..) Or is there an altogether better approach to handling this field? Thanks Chris May be you should consider managed entry plugin and make this attribute be updated at the same time the standard password expiration attribute is updated? Dmitri, it is already updated -- we set it to 0 when admin changes user's password. I've wrote an answer to Chris but forgot to CC: the list. I'll re-send my answer. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA and sambaPwdLastSet
On 04/28/2015 12:17 PM, Christopher Lamb wrote: Hi All I wish to pick your brains on the attribute sambaPwdLastSet We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an old 3.0.0 instance. We are also running Samba to share files to Windows and OSX users. This means that all the FreeIPA user accounts have the attribute sambaPwdLastSet. If this has the value 0, our users cannot map Samba shares, so we need to make sure the value is a positive integer. In an attempt to do this, I modified user.py, adding the attribute to the takes_params for the class user as follows: class user(LDAPObject): . . . takes_params = ( . . . Int('sambapwdlastset?', label=_('sambaPwdLastSet'), doc=_('Date as an integer when the samba password was last set' ), default=1, autofill=True, ), . . . This works fine if I create a user via the CLI. However if I create a user via the Web UI, or use the Web UI to reset a user's password, then the attribute sambaPwdLastSet is set to zero. So what scripts do I need to change to make sure the Web UI sets sambaPwdLast Set to a positive value? (I don't want to run ldapmodify scripts, or have to use Apache Directory Studio to hack the db..) Or is there an altogether better approach to handling this field? Thanks Chris May be you should consider managed entry plugin and make this attribute be updated at the same time the standard password expiration attribute is updated? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA and sambaPwdLastSet
Hi All I wish to pick your brains on the attribute sambaPwdLastSet We have a newly setup FreeIPA 4.1.0, with users and groups migrated from an old 3.0.0 instance. We are also running Samba to share files to Windows and OSX users. This means that all the FreeIPA user accounts have the attribute sambaPwdLastSet. If this has the value 0, our users cannot map Samba shares, so we need to make sure the value is a positive integer. In an attempt to do this, I modified user.py, adding the attribute to the takes_params for the class user as follows: class user(LDAPObject): . . . takes_params = ( . . . Int('sambapwdlastset?', label=_('sambaPwdLastSet'), doc=_('Date as an integer when the samba password was last set' ), default=1, autofill=True, ), . . . This works fine if I create a user via the CLI. However if I create a user via the Web UI, or use the Web UI to reset a user's password, then the attribute sambaPwdLastSet is set to zero. So what scripts do I need to change to make sure the Web UI sets sambaPwdLast Set to a positive value? (I don't want to run ldapmodify scripts, or have to use Apache Directory Studio to hack the db..) Or is there an altogether better approach to handling this field? Thanks Chris -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project