[Freeipa-users] Resynchronize Samba Passwort

[Simo Sorce]

On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote:
> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote:
> > On Thu, 2012-10-11 at 09:43 +0200, Marc Grimme wrote:
> >> On Mi 10 Okt 2012 17:54:22 CEST, Simo Sorce wrote:
> >> They are changing their passwords via ssh, sssd (kpasswd underneath) or
> >> directly over kpasswd.
> >>
> >> BTW: What would be the recommended way to re change their password
> >> afterwards again?
> >
> > Those methods are fine.
> > Are you sure the affected users didn't change their password via their
> > Windows clients ? Are their clients joined to the samba domain ?
> No they are integrated in the Kerberos Domain of IPA but not joined to 
> the samba domain.
> >
> >> Probably (ldap passwd sync=Yes). Up to now I recommended to use
> >> ssh/sssd combination for passwd change to those users.
> >>>
> >> I'm using samba 3.5 (part of RHEL6) and there seems to be no option
> >> ldap sync.
> >> The only relevant option I've set is ldap passwd sync = Yes.
> >
> > I use RHEL6 as well and the smb.conf man page has 'ldap passwd sync''
> > and the 'only' option. It has been in samba for a long time (I think
> > since 3.0.x)
> Ok. Sorry I'm using
> ldap passwd sync=Yes
> Is that wrong?

Yes, you should use "ldap passwd sync = only"

> >> Not that I know of.
> >> How can I do this?
> >
> > You can do it with a custom user and custom ACIs.
> >
> Further testing.
> I have a user called tuser.
> 1. Reset the password:
> ipaserver1 # ipa passwd tuser
> New Password:
> Enter New Password again to verify:
> ------------------------------------
> Changed password for "tuser at CL.ATIX"
> ------------------------------------
> 2. Login to another server via ssh:
> $ ssh tuser at methusalix2
> tuser at methusalix2's password:
> Password expired. Change your password now.
> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user tuser.
> Current Password:
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
> Connection to methusalix2 closed.
> $ ssh tuser at methusalix2
> tuser at methusalix2's password:
> Permission denied, please try again.
> tuser at methusalix2's password:
> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138
> -bash-4.1$
> => SSH Login works (Kerberos PW is set).
> 3. Let's browse Samba:
> $ smbclient -U tuser -L methusalix2
> Enter tuser's password:
> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
> 
> Any ideas what's going wrong?

Uhmm seem one of the samba attributes has not been properly changed ...

This is IPA on RHEL6.3 ?

Can you check if the use has the attribute sambaPwdMustChange set ?
Apparently the IPA passoword plugin does not touch it.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York