Re: [Freeipa-users] Resynchronize Samba Passwort
Am 16.10.2012 23:40, schrieb Simo Sorce: > On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote: >> On 10/16/2012 05:21 AM, Simo Sorce wrote: >>> On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: Am 15.10.2012 15:50, schrieb Simo Sorce: > On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: >> Am 14.10.2012 23:14, schrieb Simo Sorce: >>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: >>> Right I am ok with sambaPwdMustChange not being set. That's all good. >>> What about sambaPwdLastSet ? >> Not set when a user is created new. > It should be set when you give the user a password as long at the > sambaSamAccount objectclass is added to the user. > >> When I change the password: >> sambaPwdLastSet: 0 > If this is when you set the password as an admin, it is expected. Ok, understood. But it should change when the user resets his/her password, right? And that is not happening. When the user sets his/her password the sambaPwdLastSet stays untouched. >>> That's odd, how does the user change the password ? >>> >> Not working with samba! >> Need to apply my script (see below). > Let me ask one thing, are you changing the password as a user ? > Or have you tested only setting the password as admin ? I set the initial password as admin. Then the user logs in to a server (sssd, ssh, ipa-member) and is requested to change his/her password. This works but the sambaPwdLastSet stays untouched. >>> Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? >>> > If the latter this applies: > http://www.freeipa.org/page/NewPasswordsExpired Checked it. But that was my understanding nevertheless. > I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > > > Simo. > # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign --- Added user "tuser2" --- User login: tuser2 First name: Test Last name: User2 Full name: Test User2 Display name: Test User2 Initials: TU Home directory: /home/tuser2 GECOS field: Test User2 Login shell: /bin/false Kerberos principal: tus...@cl.atix UID: 47378 GID: 47378 Password: False Kerberos keys available: False # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" sambaSID SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaSID: S-1-5-21-xx-xx-xx-assign The following objectclasses are being set when creating a new user: # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" objectClass SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: sambaSAMAccount objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry Thanks for your help >>> Seem like a DNA bug ... then, >>> >>> Nathan do you have any idea ? >> What DNA configuration is used? > >From a previous mail this look to be the config. > > Marc is this still correct ? > > Although my configurations looks ok, doesn't it? > # ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W > Enter LDAP Password: > dn: cn=SambaSid,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > dnatype: sambaSID > dnaprefix: S-1-5-21-1310149461-105972258- > dnainterval: 1 > dnamagicregen: assign > dnafilter: > (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping)) > dnascope: dc=atix,dc=cl > cn: SambaSid > dnanextvalue: 15400 Yes didn't change anything. And I already tried --setattr=sambaSid=assign and --setattr=sambaSid=S-1-5-..-assign. Both didn't lead to an attribute sambaSid being set per user. Thanks Marc. -- Marc Grimme E-Mail: grimme( at )atix.de ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Tue, 2012-10-16 at 14:51 -0700, Nathan Kinder wrote: > On 10/16/2012 02:40 PM, Simo Sorce wrote: > > On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote: > >> On 10/16/2012 05:21 AM, Simo Sorce wrote: > >>> On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: > Am 15.10.2012 15:50, schrieb Simo Sorce: > > On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: > >> Am 14.10.2012 23:14, schrieb Simo Sorce: > >>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > >>> Right I am ok with sambaPwdMustChange not being set. That's all good. > >>> What about sambaPwdLastSet ? > >> Not set when a user is created new. > > It should be set when you give the user a password as long at the > > sambaSamAccount objectclass is added to the user. > > > >> When I change the password: > >> sambaPwdLastSet: 0 > > If this is when you set the password as an admin, it is expected. > Ok, understood. But it should change when the user resets his/her > password, right? > And that is not happening. > When the user sets his/her password the sambaPwdLastSet stays untouched. > >>> That's odd, how does the user change the password ? > >>> > >> Not working with samba! > >> Need to apply my script (see below). > > Let me ask one thing, are you changing the password as a user ? > > Or have you tested only setting the password as admin ? > I set the initial password as admin. > Then the user logs in to a server (sssd, ssh, ipa-member) and is > requested to change his/her password. This works but the sambaPwdLastSet > stays untouched. > >>> Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? > >>> > > If the latter this applies: > > http://www.freeipa.org/page/NewPasswordsExpired > Checked it. But that was my understanding nevertheless. > > I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > > > > > > Simo. > > > # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign > I think that this needs to be --setattr=assign. The prefix should not > be included when specifying the magic value to trigger generation. Nathan, you were not included in the previous mails, but options have been tried and they seem to fail the same way (ie the actual passed in value is stored instead of generating a new value). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On 10/16/2012 02:40 PM, Simo Sorce wrote: On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote: On 10/16/2012 05:21 AM, Simo Sorce wrote: On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: Am 15.10.2012 15:50, schrieb Simo Sorce: On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: Am 14.10.2012 23:14, schrieb Simo Sorce: On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: Right I am ok with sambaPwdMustChange not being set. That's all good. What about sambaPwdLastSet ? Not set when a user is created new. It should be set when you give the user a password as long at the sambaSamAccount objectclass is added to the user. When I change the password: sambaPwdLastSet: 0 If this is when you set the password as an admin, it is expected. Ok, understood. But it should change when the user resets his/her password, right? And that is not happening. When the user sets his/her password the sambaPwdLastSet stays untouched. That's odd, how does the user change the password ? Not working with samba! Need to apply my script (see below). Let me ask one thing, are you changing the password as a user ? Or have you tested only setting the password as admin ? I set the initial password as admin. Then the user logs in to a server (sssd, ssh, ipa-member) and is requested to change his/her password. This works but the sambaPwdLastSet stays untouched. Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? If the latter this applies: http://www.freeipa.org/page/NewPasswordsExpired Checked it. But that was my understanding nevertheless. I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign Simo. # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign I think that this needs to be --setattr=assign. The prefix should not be included when specifying the magic value to trigger generation. --- Added user "tuser2" --- User login: tuser2 First name: Test Last name: User2 Full name: Test User2 Display name: Test User2 Initials: TU Home directory: /home/tuser2 GECOS field: Test User2 Login shell: /bin/false Kerberos principal: tus...@cl.atix UID: 47378 GID: 47378 Password: False Kerberos keys available: False # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" sambaSID SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaSID: S-1-5-21-xx-xx-xx-assign The following objectclasses are being set when creating a new user: # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" objectClass SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: sambaSAMAccount objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry Thanks for your help Seem like a DNA bug ... then, Nathan do you have any idea ? What DNA configuration is used? >From a previous mail this look to be the config. Marc is this still correct ? Although my configurations looks ok, doesn't it? # ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W Enter LDAP Password: dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject dnatype: sambaSID dnaprefix: S-1-5-21-1310149461-105972258- dnainterval: 1 dnamagicregen: assign dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping)) dnascope: dc=atix,dc=cl cn: SambaSid dnanextvalue: 15400 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote: > On 10/16/2012 05:21 AM, Simo Sorce wrote: > > On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: > >> Am 15.10.2012 15:50, schrieb Simo Sorce: > >>> On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: > Am 14.10.2012 23:14, schrieb Simo Sorce: > > On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > > Right I am ok with sambaPwdMustChange not being set. That's all good. > > What about sambaPwdLastSet ? > Not set when a user is created new. > >>> It should be set when you give the user a password as long at the > >>> sambaSamAccount objectclass is added to the user. > >>> > When I change the password: > sambaPwdLastSet: 0 > >>> If this is when you set the password as an admin, it is expected. > >> Ok, understood. But it should change when the user resets his/her > >> password, right? > >> And that is not happening. > >> When the user sets his/her password the sambaPwdLastSet stays untouched. > > That's odd, how does the user change the password ? > > > Not working with samba! > Need to apply my script (see below). > >>> Let me ask one thing, are you changing the password as a user ? > >>> Or have you tested only setting the password as admin ? > >> I set the initial password as admin. > >> Then the user logs in to a server (sssd, ssh, ipa-member) and is > >> requested to change his/her password. This works but the sambaPwdLastSet > >> stays untouched. > > Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? > > > >>> If the latter this applies: > >>> http://www.freeipa.org/page/NewPasswordsExpired > >> Checked it. But that was my understanding nevertheless. > >>> I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > >>> > >>> > >>> Simo. > >>> > >> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > >> --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign > >> --- > >> Added user "tuser2" > >> --- > >>User login: tuser2 > >>First name: Test > >>Last name: User2 > >>Full name: Test User2 > >>Display name: Test User2 > >>Initials: TU > >>Home directory: /home/tuser2 > >>GECOS field: Test User2 > >>Login shell: /bin/false > >>Kerberos principal: tus...@cl.atix > >>UID: 47378 > >>GID: 47378 > >>Password: False > >>Kerberos keys available: False > >> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > >> sambaSID > >> SASL/GSSAPI authentication started > >> SASL username: ad...@cl.atix > >> SASL SSF: 56 > >> SASL data security layer installed. > >> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > >> sambaSID: S-1-5-21-xx-xx-xx-assign > >> > >> The following objectclasses are being set when creating a new user: > >> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > >> objectClass > >> SASL/GSSAPI authentication started > >> SASL username: ad...@cl.atix > >> SASL SSF: 56 > >> SASL data security layer installed. > >> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > >> objectClass: top > >> objectClass: person > >> objectClass: organizationalperson > >> objectClass: inetorgperson > >> objectClass: inetuser > >> objectClass: posixaccount > >> objectClass: krbprincipalaux > >> objectClass: krbticketpolicyaux > >> objectClass: ipaobject > >> objectClass: sambaSAMAccount > >> objectClass: ipasshuser > >> objectClass: ipaSshGroupOfPubKeys > >> objectClass: mepOriginEntry > >> > >> Thanks for your help > > Seem like a DNA bug ... then, > > > > Nathan do you have any idea ? > What DNA configuration is used? >From a previous mail this look to be the config. Marc is this still correct ? Although my configurations looks ok, doesn't it? # ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W Enter LDAP Password: dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject dnatype: sambaSID dnaprefix: S-1-5-21-1310149461-105972258- dnainterval: 1 dnamagicregen: assign dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping)) dnascope: dc=atix,dc=cl cn: SambaSid dnanextvalue: 15400 -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On 10/16/2012 05:21 AM, Simo Sorce wrote: On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: Am 15.10.2012 15:50, schrieb Simo Sorce: On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: Am 14.10.2012 23:14, schrieb Simo Sorce: On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: Right I am ok with sambaPwdMustChange not being set. That's all good. What about sambaPwdLastSet ? Not set when a user is created new. It should be set when you give the user a password as long at the sambaSamAccount objectclass is added to the user. When I change the password: sambaPwdLastSet: 0 If this is when you set the password as an admin, it is expected. Ok, understood. But it should change when the user resets his/her password, right? And that is not happening. When the user sets his/her password the sambaPwdLastSet stays untouched. That's odd, how does the user change the password ? Not working with samba! Need to apply my script (see below). Let me ask one thing, are you changing the password as a user ? Or have you tested only setting the password as admin ? I set the initial password as admin. Then the user logs in to a server (sssd, ssh, ipa-member) and is requested to change his/her password. This works but the sambaPwdLastSet stays untouched. Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? If the latter this applies: http://www.freeipa.org/page/NewPasswordsExpired Checked it. But that was my understanding nevertheless. I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign Simo. # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign --- Added user "tuser2" --- User login: tuser2 First name: Test Last name: User2 Full name: Test User2 Display name: Test User2 Initials: TU Home directory: /home/tuser2 GECOS field: Test User2 Login shell: /bin/false Kerberos principal: tus...@cl.atix UID: 47378 GID: 47378 Password: False Kerberos keys available: False # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" sambaSID SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaSID: S-1-5-21-xx-xx-xx-assign The following objectclasses are being set when creating a new user: # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" objectClass SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: sambaSAMAccount objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry Thanks for your help Seem like a DNA bug ... then, Nathan do you have any idea ? What DNA configuration is used? -NGK ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: > Am 15.10.2012 15:50, schrieb Simo Sorce: > > On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: > >> Am 14.10.2012 23:14, schrieb Simo Sorce: > >>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > >>> Right I am ok with sambaPwdMustChange not being set. That's all good. > >>> What about sambaPwdLastSet ? > >> Not set when a user is created new. > > It should be set when you give the user a password as long at the > > sambaSamAccount objectclass is added to the user. > > > >> When I change the password: > >> sambaPwdLastSet: 0 > > If this is when you set the password as an admin, it is expected. > Ok, understood. But it should change when the user resets his/her > password, right? > And that is not happening. > When the user sets his/her password the sambaPwdLastSet stays untouched. That's odd, how does the user change the password ? > >> Not working with samba! > >> Need to apply my script (see below). > > Let me ask one thing, are you changing the password as a user ? > > Or have you tested only setting the password as admin ? > I set the initial password as admin. > Then the user logs in to a server (sssd, ssh, ipa-member) and is > requested to change his/her password. This works but the sambaPwdLastSet > stays untouched. Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? > > If the latter this applies: > > http://www.freeipa.org/page/NewPasswordsExpired > Checked it. But that was my understanding nevertheless. > > > > I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > > > > > > Simo. > > > # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign > --- > Added user "tuser2" > --- > User login: tuser2 > First name: Test > Last name: User2 > Full name: Test User2 > Display name: Test User2 > Initials: TU > Home directory: /home/tuser2 > GECOS field: Test User2 > Login shell: /bin/false > Kerberos principal: tus...@cl.atix > UID: 47378 > GID: 47378 > Password: False > Kerberos keys available: False > # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > sambaSID > SASL/GSSAPI authentication started > SASL username: ad...@cl.atix > SASL SSF: 56 > SASL data security layer installed. > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > sambaSID: S-1-5-21-xx-xx-xx-assign > > The following objectclasses are being set when creating a new user: > # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > objectClass > SASL/GSSAPI authentication started > SASL username: ad...@cl.atix > SASL SSF: 56 > SASL data security layer installed. > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: sambaSAMAccount > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > > Thanks for your help Seem like a DNA bug ... then, Nathan do you have any idea ? -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
Am 15.10.2012 15:50, schrieb Simo Sorce: > On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: >> Am 14.10.2012 23:14, schrieb Simo Sorce: >>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: >>> Right I am ok with sambaPwdMustChange not being set. That's all good. >>> What about sambaPwdLastSet ? >> Not set when a user is created new. > It should be set when you give the user a password as long at the > sambaSamAccount objectclass is added to the user. > >> When I change the password: >> sambaPwdLastSet: 0 > If this is when you set the password as an admin, it is expected. Ok, understood. But it should change when the user resets his/her password, right? And that is not happening. When the user sets his/her password the sambaPwdLastSet stays untouched. > >> Not working with samba! >> Need to apply my script (see below). > Let me ask one thing, are you changing the password as a user ? > Or have you tested only setting the password as admin ? I set the initial password as admin. Then the user logs in to a server (sssd, ssh, ipa-member) and is requested to change his/her password. This works but the sambaPwdLastSet stays untouched. > > If the latter this applies: > http://www.freeipa.org/page/NewPasswordsExpired Checked it. But that was my understanding nevertheless. > > I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > > > Simo. > # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign --- Added user "tuser2" --- User login: tuser2 First name: Test Last name: User2 Full name: Test User2 Display name: Test User2 Initials: TU Home directory: /home/tuser2 GECOS field: Test User2 Login shell: /bin/false Kerberos principal: tus...@cl.atix UID: 47378 GID: 47378 Password: False Kerberos keys available: False # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" sambaSID SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaSID: S-1-5-21-xx-xx-xx-assign The following objectclasses are being set when creating a new user: # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" objectClass SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: sambaSAMAccount objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry Thanks for your help Marc. -- Marc Grimme E-Mail: grimme( at )atix.de ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
Marc Grimme wrote: Am 14.10.2012 23:14, schrieb Simo Sorce: On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: Right I am ok with sambaPwdMustChange not being set. That's all good. What about sambaPwdLastSet ? Not set when a user is created new. When I change the password: sambaPwdLastSet: 0 Not working with samba! Need to apply my script (see below). BTW: when I create a user as follows: ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --setattr=SambaSID=assign The SambaSID is: just assign. ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" sambaSID SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaSID: assign Am I missing something or is this to be changed later on? What objectclasses is your user getting by default? Is it satisfying the DNA filter? rob Which attribute are you 'fixing' ? And how ? I wrote a script that basically does the following. out=$(ldapsearch -LLL -b uid=$1,cn=users,cn=accounts,dc=cl,dc=atix sambaPwdLastSet 2>/dev/null) if [ $? -ne 0 ]; then echo "Error during retreiving of sambaPwdLastSet.." exit 1 fi pwdlastset=$(echo "$out" | head -2 | tail -1 | cut -f2 -d " ") if [ -z "$pwdlastset" ]; then echo "Adding a pwdlastset time.." ldapadd < Can you should me the specific attribute you are 'fixing' before/after the password change and before/after the 'fix' ? see above. I can access samba as follows: smbclient -U tuser2 -L methusalix2 -D ATIX2 Enter tuser2's password: Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6] Sharename Type Comment .. So the initial setup seems to be the problem, right? There seem to be an issue somewhere indeed, we need to narrow down to the exact change, then I can look in the code and see what's going on in there, as sambaPwdLastSet should be changed by the code. Hope this helps. Do you need more information? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: > Am 14.10.2012 23:14, schrieb Simo Sorce: > > On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > > Right I am ok with sambaPwdMustChange not being set. That's all good. > > What about sambaPwdLastSet ? > Not set when a user is created new. It should be set when you give the user a password as long at the sambaSamAccount objectclass is added to the user. > When I change the password: > sambaPwdLastSet: 0 If this is when you set the password as an admin, it is expected. > Not working with samba! > Need to apply my script (see below). Let me ask one thing, are you changing the password as a user ? Or have you tested only setting the password as admin ? If the latter this applies: http://www.freeipa.org/page/NewPasswordsExpired > BTW: when I create a user as follows: > ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --setattr=SambaSID=assign > The SambaSID is: just assign. I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
Am 14.10.2012 23:14, schrieb Simo Sorce: > On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > Right I am ok with sambaPwdMustChange not being set. That's all good. > What about sambaPwdLastSet ? Not set when a user is created new. When I change the password: sambaPwdLastSet: 0 Not working with samba! Need to apply my script (see below). BTW: when I create a user as follows: ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --setattr=SambaSID=assign The SambaSID is: just assign. ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" sambaSID SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaSID: assign Am I missing something or is this to be changed later on? > Which attribute are you 'fixing' ? > And how ? I wrote a script that basically does the following. out=$(ldapsearch -LLL -b uid=$1,cn=users,cn=accounts,dc=cl,dc=atix sambaPwdLastSet 2>/dev/null) if [ $? -ne 0 ]; then echo "Error during retreiving of sambaPwdLastSet.." exit 1 fi pwdlastset=$(echo "$out" | head -2 | tail -1 | cut -f2 -d " ") if [ -z "$pwdlastset" ]; then echo "Adding a pwdlastset time.." ldapadd < > Can you should me the specific attribute you are 'fixing' before/after > the password change and before/after the 'fix' ? see above. >> I can access samba as follows: >> smbclient -U tuser2 -L methusalix2 -D ATIX2 >> Enter tuser2's password: >> Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6] >> >> Sharename Type Comment >> .. >> >> So the initial setup seems to be the problem, right? > There seem to be an issue somewhere indeed, we need to narrow down to > the exact change, then I can look in the code and see what's going on in > there, as sambaPwdLastSet should be changed by the code. Hope this helps. Do you need more information? -- Marc Grimme E-Mail: grimme( at )atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > After me switching to > ldap passwd sync = only > I cannot see it changing the values if already set. > But for new users it might not be set. As I have some without these > attributes set. > If I create a new user (say tuser2) as follows: > # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305 > --- > Added user "tuser2" > --- > User login: tuser2 > First name: Test > Last name: User2 > Full name: Test User2 > Display name: Test User2 > Initials: TU > Home directory: /home/tuser2 > GECOS field: Test User2 > Login shell: /bin/false > Kerberos principal: tus...@cl.atix > UID: 47374 > GID: 47374 > Password: False > Kerberos keys available: False > # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > sambaPwdMustChange > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > > That attribute is not set. Right I am ok with sambaPwdMustChange not being set. That's all good. What about sambaPwdLastSet ? > Then I'll set a temporary password: > > # ipa passwd tuser2 > New Password: > Enter New Password again to verify: > - > Changed password for "tus...@cl.atix" > - > > I'll change the temporary password: > > $ ssh tuser2@methusalix2 > tuser2@methusalix2's password: > Password expired. Change your password now. > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user tuser2. > Current Password: > New password: > Retype new password: > passwd: all authentication tokens updated successfully. > Connection to methusalix2 closed. > > I can login via ssh: > $ ssh tuser2@methusalix2 > tuser2@methusalix2's password: > Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix > > And the ldap attribute is still not set: > # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > sambaPwdMustChange > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > > So the access via samba fails: > $ smbclient -U tuser2 -L methusalix2 -D ATIX2 > Enter tuser2's password: > session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE > > When I fix the attribute manually: > # bash ~/add-sambapwdlastset2user.sh tuser2 > Wrong value. Modifying to proper one.. > SASL/GSSAPI authentication started > SASL username: ad...@cl.atix > SASL SSF: 56 > SASL data security layer installed. > modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" Which attribute are you 'fixing' ? And how ? Can you should me the specific attribute you are 'fixing' before/after the password change and before/after the 'fix' ? > I can access samba as follows: > smbclient -U tuser2 -L methusalix2 -D ATIX2 > Enter tuser2's password: > Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6] > > Sharename Type Comment > .. > > So the initial setup seems to be the problem, right? There seem to be an issue somewhere indeed, we need to narrow down to the exact change, then I can look in the code and see what's going on in there, as sambaPwdLastSet should be changed by the code. > Besides: > It also looks like the Distributed Numerica Assignment Plugin seems to > be not working. As I always have to manually specify the SID of the user: > ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305 See Rob's answer for this. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
Marc Grimme wrote: Am 12.10.2012 16:19, schrieb Simo Sorce: On Fri, 2012-10-12 at 13:20 +0200, Marc Grimme wrote: Am 11.10.2012 18:12, schrieb Simo Sorce: On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: No they are integrated in the Kerberos Domain of IPA but not joined to the samba domain. Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? Yes, you should use "ldap passwd sync = only" Ok, I set it as suggested. Further testing. I have a user called tuser. 1. Reset the password: ipaserver1 # ipa passwd tuser New Password: Enter New Password again to verify: Changed password for "tu...@cl.atix" 2. Login to another server via ssh: $ ssh tuser@methusalix2 tuser@methusalix2's password: Password expired. Change your password now. Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 WARNING: Your password has expired. You must change your password now and login again! Changing password for user tuser. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to methusalix2 closed. $ ssh tuser@methusalix2 tuser@methusalix2's password: Permission denied, please try again. tuser@methusalix2's password: Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 -bash-4.1$ => SSH Login works (Kerberos PW is set). 3. Let's browse Samba: $ smbclient -U tuser -L methusalix2 Enter tuser's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE Any ideas what's going wrong? Uhmm seem one of the samba attributes has not been properly changed ... Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set (=0). I adapted it on a few users and the problem with the NT_STATUS_PASSWORD_MUST_CHANGE went away. Still the problem is what happens when they change their password again. It looks like ldap passwd sync=yes should normally keep track of that. Any ideas how I can get that running? As far as I can see our code does set sambaPwdLastset as well (exactly to avoid samba complain about must set). Can you do a test password change an dverify if we always fail to set it ? And what are the values before/after the attempt (in either case) ? After me switching to ldap passwd sync = only I cannot see it changing the values if already set. But for new users it might not be set. As I have some without these attributes set. If I create a new user (say tuser2) as follows: # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305 --- Added user "tuser2" --- User login: tuser2 First name: Test Last name: User2 Full name: Test User2 Display name: Test User2 Initials: TU Home directory: /home/tuser2 GECOS field: Test User2 Login shell: /bin/false Kerberos principal: tus...@cl.atix UID: 47374 GID: 47374 Password: False Kerberos keys available: False # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaPwdMustChange dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix That attribute is not set. Then I'll set a temporary password: # ipa passwd tuser2 New Password: Enter New Password again to verify: - Changed password for "tus...@cl.atix" - I'll change the temporary password: $ ssh tuser2@methusalix2 tuser2@methusalix2's password: Password expired. Change your password now. WARNING: Your password has expired. You must change your password now and login again! Changing password for user tuser2. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to methusalix2 closed. I can login via ssh: $ ssh tuser2@methusalix2 tuser2@methusalix2's password: Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix And the ldap attribute is still not set: # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaPwdMustChange dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix So the access via samba fails: $ smbclient -U tuser2 -L methusalix2 -D ATIX2 Enter tuser2's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE When I fix the attribute manually: # bash ~/add-sambapwdlastset2user.sh tuser2 Wrong value. Modifying to proper one.. SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" I can access samba as follows: smbclient -U tuser2 -L methusalix2 -D ATIX2 Enter tuser2's password: Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6] Sharename Type Comment .. So the initial setup seems to be the problem, right? Besides: It also looks like the Distributed Numerica Assignment Plugin seems to be not working. As I always have to manually specify the SID
Re: [Freeipa-users] Resynchronize Samba Passwort
Am 12.10.2012 16:19, schrieb Simo Sorce: > On Fri, 2012-10-12 at 13:20 +0200, Marc Grimme wrote: >> Am 11.10.2012 18:12, schrieb Simo Sorce: >>> On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: No they are integrated in the Kerberos Domain of IPA but not joined to the samba domain. > Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? >>> Yes, you should use "ldap passwd sync = only" >> Ok, I set it as suggested. Further testing. I have a user called tuser. 1. Reset the password: ipaserver1 # ipa passwd tuser New Password: Enter New Password again to verify: Changed password for "tu...@cl.atix" 2. Login to another server via ssh: $ ssh tuser@methusalix2 tuser@methusalix2's password: Password expired. Change your password now. Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 WARNING: Your password has expired. You must change your password now and login again! Changing password for user tuser. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to methusalix2 closed. $ ssh tuser@methusalix2 tuser@methusalix2's password: Permission denied, please try again. tuser@methusalix2's password: Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 -bash-4.1$ => SSH Login works (Kerberos PW is set). 3. Let's browse Samba: $ smbclient -U tuser -L methusalix2 Enter tuser's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE Any ideas what's going wrong? >>> Uhmm seem one of the samba attributes has not been properly changed ... >> Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set >> (=0). >> I adapted it on a few users and the problem with the >> NT_STATUS_PASSWORD_MUST_CHANGE went away. >> Still the problem is what happens when they change their password again. >> It looks like ldap passwd sync=yes should normally keep track of that. >> Any ideas how I can get that running? > As far as I can see our code does set sambaPwdLastset as well (exactly > to avoid samba complain about must set). > > Can you do a test password change an dverify if we always fail to set > it ? And what are the values before/after the attempt (in either case) ? After me switching to ldap passwd sync = only I cannot see it changing the values if already set. But for new users it might not be set. As I have some without these attributes set. If I create a new user (say tuser2) as follows: # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305 --- Added user "tuser2" --- User login: tuser2 First name: Test Last name: User2 Full name: Test User2 Display name: Test User2 Initials: TU Home directory: /home/tuser2 GECOS field: Test User2 Login shell: /bin/false Kerberos principal: tus...@cl.atix UID: 47374 GID: 47374 Password: False Kerberos keys available: False # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaPwdMustChange dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix That attribute is not set. Then I'll set a temporary password: # ipa passwd tuser2 New Password: Enter New Password again to verify: - Changed password for "tus...@cl.atix" - I'll change the temporary password: $ ssh tuser2@methusalix2 tuser2@methusalix2's password: Password expired. Change your password now. WARNING: Your password has expired. You must change your password now and login again! Changing password for user tuser2. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to methusalix2 closed. I can login via ssh: $ ssh tuser2@methusalix2 tuser2@methusalix2's password: Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix And the ldap attribute is still not set: # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaPwdMustChange dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix So the access via samba fails: $ smbclient -U tuser2 -L methusalix2 -D ATIX2 Enter tuser2's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE When I fix the attribute manually: # bash ~/add-sambapwdlastset2user.sh tuser2 Wrong value. Modifying to proper one.. SASL/GSSAPI authentication started SASL username: ad...@cl.atix SASL SSF: 56 SASL data security layer installed. modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" I can access samba as follows: smbclient -U tuser2 -L methusalix2 -D ATIX2 Enter tuser2's password: Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6] Sharename Type Comment
Re: [Freeipa-users] Resynchronize Samba Passwort
On Fri, 2012-10-12 at 13:20 +0200, Marc Grimme wrote: > Am 11.10.2012 18:12, schrieb Simo Sorce: > > On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: > >> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: > >>> > >> No they are integrated in the Kerberos Domain of IPA but not joined to > >> the samba domain. > >>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? > > Yes, you should use "ldap passwd sync = only" > Ok, I set it as suggested. > > > >> Further testing. > >> I have a user called tuser. > >> 1. Reset the password: > >> ipaserver1 # ipa passwd tuser > >> New Password: > >> Enter New Password again to verify: > >> > >> Changed password for "tu...@cl.atix" > >> > >> 2. Login to another server via ssh: > >> $ ssh tuser@methusalix2 > >> tuser@methusalix2's password: > >> Password expired. Change your password now. > >> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 > >> WARNING: Your password has expired. > >> You must change your password now and login again! > >> Changing password for user tuser. > >> Current Password: > >> New password: > >> Retype new password: > >> passwd: all authentication tokens updated successfully. > >> Connection to methusalix2 closed. > >> $ ssh tuser@methusalix2 > >> tuser@methusalix2's password: > >> Permission denied, please try again. > >> tuser@methusalix2's password: > >> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 > >> -bash-4.1$ > >> => SSH Login works (Kerberos PW is set). > >> 3. Let's browse Samba: > >> $ smbclient -U tuser -L methusalix2 > >> Enter tuser's password: > >> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE > >> > >> Any ideas what's going wrong? > > Uhmm seem one of the samba attributes has not been properly changed ... > Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set > (=0). > I adapted it on a few users and the problem with the > NT_STATUS_PASSWORD_MUST_CHANGE went away. > Still the problem is what happens when they change their password again. > It looks like ldap passwd sync=yes should normally keep track of that. > Any ideas how I can get that running? As far as I can see our code does set sambaPwdLastset as well (exactly to avoid samba complain about must set). Can you do a test password change an dverify if we always fail to set it ? And what are the values before/after the attempt (in either case) ? > You also mentioned that one can use ldappasswd to get Samba to change > the passwords per user. > How should this be done? > passwd program = /usr/bin/ldappasswd ?? Samba use the ldappasswd control when you set ldap passwd sync = only Nothing else is required > > > > This is IPA on RHEL6.3 ? > Yes RHEL6.3 plain. > > > > Can you check if the use has the attribute sambaPwdMustChange set ? > No not anywhere. See above (sambaPwdLastSet). Ok perfect, this means it is not used (as I thought) and was deprecated. (Dmitri this means we do not need to track) > > Apparently the IPA passoword plugin does not touch it. > No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it? It should and we have code in the 2.2 and 3.0 branches to do it. I wonder if we have a bug in the RHEL6.3 version, if you can do the test above we can try to narrow down what's happening. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Fri, 2012-10-12 at 09:38 -0400, Dmitri Pal wrote: > >> Can you check if the use has the attribute sambaPwdMustChange set ? > > Should we open a ticket to manage this attribute? I thought I had a reason why it wasn't needed, but I may be wrong. I want to make sure it is/isn't but if you want to track it immediately that is ok, we can always close as invlid later if it turns out it is not needed. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On 10/12/2012 07:20 AM, Marc Grimme wrote: > Am 11.10.2012 18:12, schrieb Simo Sorce: >> On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: >>> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: >>> No they are integrated in the Kerberos Domain of IPA but not joined to >>> the samba domain. Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? >> Yes, you should use "ldap passwd sync = only" > Ok, I set it as suggested. >>> Further testing. >>> I have a user called tuser. >>> 1. Reset the password: >>> ipaserver1 # ipa passwd tuser >>> New Password: >>> Enter New Password again to verify: >>> >>> Changed password for "tu...@cl.atix" >>> >>> 2. Login to another server via ssh: >>> $ ssh tuser@methusalix2 >>> tuser@methusalix2's password: >>> Password expired. Change your password now. >>> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 >>> WARNING: Your password has expired. >>> You must change your password now and login again! >>> Changing password for user tuser. >>> Current Password: >>> New password: >>> Retype new password: >>> passwd: all authentication tokens updated successfully. >>> Connection to methusalix2 closed. >>> $ ssh tuser@methusalix2 >>> tuser@methusalix2's password: >>> Permission denied, please try again. >>> tuser@methusalix2's password: >>> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 >>> -bash-4.1$ >>> => SSH Login works (Kerberos PW is set). >>> 3. Let's browse Samba: >>> $ smbclient -U tuser -L methusalix2 >>> Enter tuser's password: >>> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE >>> >>> Any ideas what's going wrong? >> Uhmm seem one of the samba attributes has not been properly changed ... > Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set > (=0). > I adapted it on a few users and the problem with the > NT_STATUS_PASSWORD_MUST_CHANGE went away. > Still the problem is what happens when they change their password again. > It looks like ldap passwd sync=yes should normally keep track of that. > Any ideas how I can get that running? > > You also mentioned that one can use ldappasswd to get Samba to change > the passwords per user. > How should this be done? > passwd program = /usr/bin/ldappasswd ?? > >> This is IPA on RHEL6.3 ? > Yes RHEL6.3 plain. >> Can you check if the use has the attribute sambaPwdMustChange set ? Should we open a ticket to manage this attribute? > No not anywhere. See above (sambaPwdLastSet). >> Apparently the IPA passoword plugin does not touch it. > No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it? >> Simo. >> > Marc. > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
Am 11.10.2012 18:12, schrieb Simo Sorce: > On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: >> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: >>> >> No they are integrated in the Kerberos Domain of IPA but not joined to >> the samba domain. >>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? > Yes, you should use "ldap passwd sync = only" Ok, I set it as suggested. > >> Further testing. >> I have a user called tuser. >> 1. Reset the password: >> ipaserver1 # ipa passwd tuser >> New Password: >> Enter New Password again to verify: >> >> Changed password for "tu...@cl.atix" >> >> 2. Login to another server via ssh: >> $ ssh tuser@methusalix2 >> tuser@methusalix2's password: >> Password expired. Change your password now. >> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 >> WARNING: Your password has expired. >> You must change your password now and login again! >> Changing password for user tuser. >> Current Password: >> New password: >> Retype new password: >> passwd: all authentication tokens updated successfully. >> Connection to methusalix2 closed. >> $ ssh tuser@methusalix2 >> tuser@methusalix2's password: >> Permission denied, please try again. >> tuser@methusalix2's password: >> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 >> -bash-4.1$ >> => SSH Login works (Kerberos PW is set). >> 3. Let's browse Samba: >> $ smbclient -U tuser -L methusalix2 >> Enter tuser's password: >> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE >> >> Any ideas what's going wrong? > Uhmm seem one of the samba attributes has not been properly changed ... Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set (=0). I adapted it on a few users and the problem with the NT_STATUS_PASSWORD_MUST_CHANGE went away. Still the problem is what happens when they change their password again. It looks like ldap passwd sync=yes should normally keep track of that. Any ideas how I can get that running? You also mentioned that one can use ldappasswd to get Samba to change the passwords per user. How should this be done? passwd program = /usr/bin/ldappasswd ?? > > This is IPA on RHEL6.3 ? Yes RHEL6.3 plain. > > Can you check if the use has the attribute sambaPwdMustChange set ? No not anywhere. See above (sambaPwdLastSet). > Apparently the IPA passoword plugin does not touch it. No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it? > > Simo. > Marc. -- Marc Grimme E-Mail: grimme( at )atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: > On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: > > On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: > >> On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: > >> They are changing their passwords via ssh, sssd (kpasswd underneath) or > >> directly over kpasswd. > >> > >> BTW: What would be the recommended way to re change their password > >> afterwards again? > > > > Those methods are fine. > > Are you sure the affected users didn't change their password via their > > Windows clients ? Are their clients joined to the samba domain ? > No they are integrated in the Kerberos Domain of IPA but not joined to > the samba domain. > > > >> Probably (ldap passwd sync=Yes). Up to now I recommended to use > >> ssh/sssd combination for passwd change to those users. > >>> > >> I'm using samba 3.5 (part of RHEL6) and there seems to be no option > >> ldap sync. > >> The only relevant option I've set is ldap passwd sync = Yes. > > > > I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' > > and the 'only' option. It has been in samba for a long time (I think > > since 3.0.x) > Ok. Sorry I'm using > ldap passwd sync=Yes > Is that wrong? Yes, you should use "ldap passwd sync = only" > >> Not that I know of. > >> How can I do this? > > > > You can do it with a custom user and custom ACIs. > > > Further testing. > I have a user called tuser. > 1. Reset the password: > ipaserver1 # ipa passwd tuser > New Password: > Enter New Password again to verify: > > Changed password for "tu...@cl.atix" > > 2. Login to another server via ssh: > $ ssh tuser@methusalix2 > tuser@methusalix2's password: > Password expired. Change your password now. > Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user tuser. > Current Password: > New password: > Retype new password: > passwd: all authentication tokens updated successfully. > Connection to methusalix2 closed. > $ ssh tuser@methusalix2 > tuser@methusalix2's password: > Permission denied, please try again. > tuser@methusalix2's password: > Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 > -bash-4.1$ > => SSH Login works (Kerberos PW is set). > 3. Let's browse Samba: > $ smbclient -U tuser -L methusalix2 > Enter tuser's password: > session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE > > Any ideas what's going wrong? Uhmm seem one of the samba attributes has not been properly changed ... This is IPA on RHEL6.3 ? Can you check if the use has the attribute sambaPwdMustChange set ? Apparently the IPA passoword plugin does not touch it. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: > On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: >> On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: >> They are changing their passwords via ssh, sssd (kpasswd underneath) or >> directly over kpasswd. >> >> BTW: What would be the recommended way to re change their password >> afterwards again? > > Those methods are fine. > Are you sure the affected users didn't change their password via their > Windows clients ? Are their clients joined to the samba domain ? No they are integrated in the Kerberos Domain of IPA but not joined to the samba domain. > >> Probably (ldap passwd sync=Yes). Up to now I recommended to use >> ssh/sssd combination for passwd change to those users. >>> >> I'm using samba 3.5 (part of RHEL6) and there seems to be no option >> ldap sync. >> The only relevant option I've set is ldap passwd sync = Yes. > > I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' > and the 'only' option. It has been in samba for a long time (I think > since 3.0.x) Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? > >> Not that I know of. >> How can I do this? > > You can do it with a custom user and custom ACIs. > Further testing. I have a user called tuser. 1. Reset the password: ipaserver1 # ipa passwd tuser New Password: Enter New Password again to verify: Changed password for "tu...@cl.atix" 2. Login to another server via ssh: $ ssh tuser@methusalix2 tuser@methusalix2's password: Password expired. Change your password now. Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 WARNING: Your password has expired. You must change your password now and login again! Changing password for user tuser. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to methusalix2 closed. $ ssh tuser@methusalix2 tuser@methusalix2's password: Permission denied, please try again. tuser@methusalix2's password: Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 -bash-4.1$ => SSH Login works (Kerberos PW is set). 3. Let's browse Samba: $ smbclient -U tuser -L methusalix2 Enter tuser's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE Any ideas what's going wrong? Thanks Marc. -- -- Marc Grimme E-Mail: grimme( at )atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote: > On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: > > On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote: > >> Hello together, > >> we are running IPA on RHEL6.3 for quite some time. > >> We are also using IPA to provide the LDAP backend for our samba > >> configuration. > >> Normally everything is running quite ok. > >> > >> But from time to time some people inform me that their samba password is > >> not in sync with their password in IPA. > >> Mostly this is working but a few different people are informing me about > >> that. > >> So is there a way to "resync" the password to the ones in LDAP > >> (userPassword, sambaNTPassword)? > > > > We do not have code to do that now (although we have some code in 3.0 > > that is capable of doing that so it is technically possible), but this > > shouldn't happen in the first place. > > > > Do you have any information about how the password was changed by these > > users ? > They are changing their passwords via ssh, sssd (kpasswd underneath) or > directly over kpasswd. > > BTW: What would be the recommended way to re change their password > afterwards again? Those methods are fine. Are you sure the affected users didn't change their password via their Windows clients ? Are their clients joined to the samba domain ? > > Are you allowing samba to change the password ? > Probably (ldap passwd sync=Yes). Up to now I recommended to use > ssh/sssd combination for passwd change to those users. > > > > If so are you using the option 'ldap sync only = Only' ? If you do not > > use this setting that is most likely the problem. > > If you do then it may be a bug in samba. > I'm using samba 3.5 (part of RHEL6) and there seems to be no option > ldap sync. > The only relevant option I've set is ldap passwd sync = Yes. I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync'' and the 'only' option. It has been in samba for a long time (I think since 3.0.x) > > Have you given samba access for writing to the sambaNTPassword > > attribute ? > > (you shouldn't samba should be allowed only to read). > Not that I know of. > How can I do this? You can do it with a custom user and custom ACIs. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote: > On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote: >> Hello together, >> we are running IPA on RHEL6.3 for quite some time. >> We are also using IPA to provide the LDAP backend for our samba >> configuration. >> Normally everything is running quite ok. >> >> But from time to time some people inform me that their samba password is >> not in sync with their password in IPA. >> Mostly this is working but a few different people are informing me about >> that. >> So is there a way to "resync" the password to the ones in LDAP >> (userPassword, sambaNTPassword)? > > We do not have code to do that now (although we have some code in 3.0 > that is capable of doing that so it is technically possible), but this > shouldn't happen in the first place. > > Do you have any information about how the password was changed by these > users ? They are changing their passwords via ssh, sssd (kpasswd underneath) or directly over kpasswd. BTW: What would be the recommended way to re change their password afterwards again? > > Are you allowing samba to change the password ? Probably (ldap passwd sync=Yes). Up to now I recommended to use ssh/sssd combination for passwd change to those users. > > If so are you using the option 'ldap sync only = Only' ? If you do not > use this setting that is most likely the problem. > If you do then it may be a bug in samba. I'm using samba 3.5 (part of RHEL6) and there seems to be no option ldap sync. The only relevant option I've set is ldap passwd sync = Yes. > > Have you given samba access for writing to the sambaNTPassword > attribute ? > (you shouldn't samba should be allowed only to read). Not that I know of. How can I do this? > > Simo. > -- -- Marc Grimme E-Mail: grimme( at )atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Resynchronize Samba Passwort
On Wed, 2012-10-10 at 17:11 +0200, Marc Grimme wrote: > Hello together, > we are running IPA on RHEL6.3 for quite some time. > We are also using IPA to provide the LDAP backend for our samba > configuration. > Normally everything is running quite ok. > > But from time to time some people inform me that their samba password is > not in sync with their password in IPA. > Mostly this is working but a few different people are informing me about > that. > So is there a way to "resync" the password to the ones in LDAP > (userPassword, sambaNTPassword)? We do not have code to do that now (although we have some code in 3.0 that is capable of doing that so it is technically possible), but this shouldn't happen in the first place. Do you have any information about how the password was changed by these users ? Are you allowing samba to change the password ? If so are you using the option 'ldap sync only = Only' ? If you do not use this setting that is most likely the problem. If you do then it may be a bug in samba. Have you given samba access for writing to the sambaNTPassword attribute ? (you shouldn't samba should be allowed only to read). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Resynchronize Samba Passwort
Hello together, we are running IPA on RHEL6.3 for quite some time. We are also using IPA to provide the LDAP backend for our samba configuration. Normally everything is running quite ok. But from time to time some people inform me that their samba password is not in sync with their password in IPA. Mostly this is working but a few different people are informing me about that. So is there a way to "resync" the password to the ones in LDAP (userPassword, sambaNTPassword)? Thanks for your help. Regards Marc. -- Marc Grimme E-Mail: grimme( at )atix.de ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 | 85716 Unterschleissheim | www.atix.de | www.comoonics.org Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) | Vorsitzender des Aufsichtsrats: Dr. Martin Buss ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users