[Freeipa-users] Resynchronize Samba Passwort

Rob Crittenden rcritten at redhat.com
Fri Oct 12 19:12:44 UTC 2012 

Marc Grimme wrote:
> Am 12.10.2012 16:19, schrieb Simo Sorce:
>> On Fri, 2012-10-12 at 13:20 +0200, Marc Grimme wrote:
>>> Am 11.10.2012 18:12, schrieb Simo Sorce:
>>>> On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote:
>>>>> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote:
>>>>> No they are integrated in the Kerberos Domain of IPA but not joined to
>>>>> the samba domain.
>>>>>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong?
>>>> Yes, you should use "ldap passwd sync = only"
>>> Ok, I set it as suggested.
>>>>> Further testing.
>>>>> I have a user called tuser.
>>>>> 1. Reset the password:
>>>>> ipaserver1 # ipa passwd tuser
>>>>> New Password:
>>>>> Enter New Password again to verify:
>>>>> ------------------------------------
>>>>> Changed password for "tuser at CL.ATIX"
>>>>> ------------------------------------
>>>>> 2. Login to another server via ssh:
>>>>> $ ssh tuser at methusalix2
>>>>> tuser at methusalix2's password:
>>>>> Password expired. Change your password now.
>>>>> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138
>>>>> WARNING: Your password has expired.
>>>>> You must change your password now and login again!
>>>>> Changing password for user tuser.
>>>>> Current Password:
>>>>> New password:
>>>>> Retype new password:
>>>>> passwd: all authentication tokens updated successfully.
>>>>> Connection to methusalix2 closed.
>>>>> $ ssh tuser at methusalix2
>>>>> tuser at methusalix2's password:
>>>>> Permission denied, please try again.
>>>>> tuser at methusalix2's password:
>>>>> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138
>>>>> -bash-4.1$
>>>>> => SSH Login works (Kerberos PW is set).
>>>>> 3. Let's browse Samba:
>>>>> $ smbclient -U tuser -L methusalix2
>>>>> Enter tuser's password:
>>>>> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
>>>>>
>>>>> Any ideas what's going wrong?
>>>> Uhmm seem one of the samba attributes has not been properly changed ...
>>> Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set
>>> (=0).
>>> I adapted it on a few users and the problem with the
>>> NT_STATUS_PASSWORD_MUST_CHANGE went away.
>>> Still the problem is what happens when they change their password again.
>>> It looks like ldap passwd sync=yes should normally keep track of that.
>>> Any ideas how I can get that running?
>> As far as I can see our code does set sambaPwdLastset as well (exactly
>> to avoid samba complain about must set).
>>
>> Can you do a test password change an dverify if we always fail to set
>> it ? And what are the values before/after the attempt (in either case) ?
> After me switching to
> ldap passwd sync = only
> I cannot see it changing the values if already set.
> But for new users it might not be set. As I have some without these
> attributes set.
> If I create a new user (say tuser2) as follows:
> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
> --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305
> -------------------
> Added user "tuser2"
> -------------------
>    User login: tuser2
>    First name: Test
>    Last name: User2
>    Full name: Test User2
>    Display name: Test User2
>    Initials: TU
>    Home directory: /home/tuser2
>    GECOS field: Test User2
>    Login shell: /bin/false
>    Kerberos principal: tuser2 at CL.ATIX
>    UID: 473000074
>    GID: 473000074
>    Password: False
>    Kerberos keys available: False
> # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
> sambaPwdMustChange
> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
>
> That attribute is not set.
> Then I'll set a temporary password:
>
> # ipa passwd tuser2
> New Password:
> Enter New Password again to verify:
> -------------------------------------
> Changed password for "tuser2 at CL.ATIX"
> -------------------------------------
>
> I'll change the temporary password:
>
> $ ssh tuser2 at methusalix2
> tuser2 at methusalix2's password:
> Password expired. Change your password now.
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user tuser2.
> Current Password:
> New password:
> Retype new password:
> passwd: all authentication tokens updated successfully.
> Connection to methusalix2 closed.
>
> I can login via ssh:
> $ ssh  tuser2 at methusalix2
> tuser2 at methusalix2's password:
> Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix
>
> And the ldap attribute is still not set:
> # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
> sambaPwdMustChange
> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
>
> So the access via samba fails:
> $ smbclient -U tuser2 -L methusalix2 -D ATIX2
> Enter tuser2's password:
> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
>
> When I fix the attribute manually:
> # bash ~/add-sambapwdlastset2user.sh tuser2
> Wrong value. Modifying to proper one..
> SASL/GSSAPI authentication started
> SASL username: admin at CL.ATIX
> SASL SSF: 56
> SASL data security layer installed.
> modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
>
> I can access samba as follows:
> smbclient -U tuser2 -L methusalix2 -D ATIX2
> Enter tuser2's password:
> Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6]
>
>      Sharename       Type      Comment
> ..
>
> So the initial setup seems to be the problem, right?
>
> Besides:
> It also looks like the Distributed Numerica Assignment Plugin seems to
> be not working. As I always have to manually specify the SID of the user:
> ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
> --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305
>
> Although my configurations looks ok, doesn't it?
> # ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W
> Enter LDAP Password:
> dn: cn=SambaSid,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> dnatype: sambaSID
> dnaprefix: S-1-5-21-1310149461-105972258-
> dnainterval: 1
> dnamagicregen: assign
> dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
> dnascope: dc=atix,dc=cl
> cn: SambaSid
> dnanextvalue: 15400

For DNA to kick in the attribute you want to set needs to have the magic 
regen value in it, in this case the string "assign". So when adding a 
new user you want to have --setattr sambaSID=assign. Or you could create 
a small IPA plugin to add this automatically.

Incidentally, the 389-ds team recommends against using string values for 
the DNA magic value.

rob

More information about the Freeipa-users mailing list