[Freeipa-users] Resynchronize Samba Passwort

Marc Grimme grimme at atix.de
Mon Oct 15 12:15:40 UTC 2012 

Am 14.10.2012 23:14, schrieb Simo Sorce:
> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
> Right I am ok with sambaPwdMustChange not being set. That's all good.
> What about sambaPwdLastSet ?
Not set when a user is created new.
When I change the password:
sambaPwdLastSet: 0
Not working with samba!
Need to apply my script (see below).

BTW: when I create a user as follows:
ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
--setattr=SambaSID=assign
The SambaSID is: just assign.
ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" sambaSID
SASL/GSSAPI authentication started
SASL username: admin at CL.ATIX
SASL SSF: 56
SASL data security layer installed.
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
sambaSID: assign
Am I missing something or is this to be changed later on?

> Which attribute are you 'fixing' ?
> And how ?
I wrote a script that basically does the following.

out=$(ldapsearch -LLL -b uid=$1,cn=users,cn=accounts,dc=cl,dc=atix
sambaPwdLastSet 2>/dev/null)
if [ $? -ne 0 ]; then
   echo "Error during retreiving of sambaPwdLastSet.."
   exit 1
fi
pwdlastset=$(echo "$out" | head -2 | tail -1 | cut -f2 -d " ")
if [ -z "$pwdlastset" ]; then
  echo "Adding a pwdlastset time.."
  ldapadd <<EOF
dn: uid=$1,cn=users,cn=accounts,dc=cl,dc=atix
changetype: add
add: sambaPwdLastSet
sambaPwdLastSet: 1344931739
EOF
elif [ "$pwdlastset" = "0" ]; then
  echo "Wrong value. Modifying to proper one.."
  ldapmodify <<EOF
dn: uid=$1,cn=users,cn=accounts,dc=cl,dc=atix
changetype: modify
replace: sambaPwdLastSet
sambaPwdLastSet: 1344931739
EOF
else
  echo "Everything ok. sambaPwdLastSet: $pwdlastset"
fi

>
> Can you should me the specific attribute you are 'fixing' before/after
> the password change and before/after the 'fix' ?
see above.
>> I can access samba as follows:
>> smbclient -U tuser2 -L methusalix2 -D ATIX2
>> Enter tuser2's password:
>> Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6]
>>
>>     Sharename       Type      Comment
>> ..
>>
>> So the initial setup seems to be the problem, right?
> There seem to be an issue somewhere indeed, we need to narrow down to
> the exact change, then I can look in the code and see what's going on in
> there, as sambaPwdLastSet should be changed by the code.
Hope this helps.
Do you need more information?

-- 

Marc Grimme

E-Mail: grimme( at )atix.de

ATIX Informationstechnologie und Consulting AG | Einsteinstrasse 10 |
85716 Unterschleissheim | www.atix.de | www.comoonics.org

Registergericht: Amtsgericht Muenchen, Registernummer: HRB 168930, USt.-Id.: 
DE209485962 | Vorstand: Marc Grimme, Mark Hlawatschek, Thomas Merz (Vors.) |
Vorsitzender des Aufsichtsrats: Dr. Martin Buss

More information about the Freeipa-users mailing list