[Freeipa-users] Resynchronize Samba Passwort

Rob Crittenden rcritten at redhat.com
Mon Oct 15 14:03:29 UTC 2012 

Marc Grimme wrote:
> Am 14.10.2012 23:14, schrieb Simo Sorce:
>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
>> Right I am ok with sambaPwdMustChange not being set. That's all good.
>> What about sambaPwdLastSet ?
> Not set when a user is created new.
> When I change the password:
> sambaPwdLastSet: 0
> Not working with samba!
> Need to apply my script (see below).
>
> BTW: when I create a user as follows:
> ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
> --setattr=SambaSID=assign
> The SambaSID is: just assign.
> ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" sambaSID
> SASL/GSSAPI authentication started
> SASL username: admin at CL.ATIX
> SASL SSF: 56
> SASL data security layer installed.
> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
> sambaSID: assign
> Am I missing something or is this to be changed later on?

What objectclasses is your user getting by default? Is it satisfying the 
DNA filter?

rob

>
>> Which attribute are you 'fixing' ?
>> And how ?
> I wrote a script that basically does the following.
>
> out=$(ldapsearch -LLL -b uid=$1,cn=users,cn=accounts,dc=cl,dc=atix
> sambaPwdLastSet 2>/dev/null)
> if [ $? -ne 0 ]; then
>     echo "Error during retreiving of sambaPwdLastSet.."
>     exit 1
> fi
> pwdlastset=$(echo "$out" | head -2 | tail -1 | cut -f2 -d " ")
> if [ -z "$pwdlastset" ]; then
>    echo "Adding a pwdlastset time.."
>    ldapadd <<EOF
> dn: uid=$1,cn=users,cn=accounts,dc=cl,dc=atix
> changetype: add
> add: sambaPwdLastSet
> sambaPwdLastSet: 1344931739
> EOF
> elif [ "$pwdlastset" = "0" ]; then
>    echo "Wrong value. Modifying to proper one.."
>    ldapmodify <<EOF
> dn: uid=$1,cn=users,cn=accounts,dc=cl,dc=atix
> changetype: modify
> replace: sambaPwdLastSet
> sambaPwdLastSet: 1344931739
> EOF
> else
>    echo "Everything ok. sambaPwdLastSet: $pwdlastset"
> fi
>
>>
>> Can you should me the specific attribute you are 'fixing' before/after
>> the password change and before/after the 'fix' ?
> see above.
>>> I can access samba as follows:
>>> smbclient -U tuser2 -L methusalix2 -D ATIX2
>>> Enter tuser2's password:
>>> Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6]
>>>
>>>      Sharename       Type      Comment
>>> ..
>>>
>>> So the initial setup seems to be the problem, right?
>> There seem to be an issue somewhere indeed, we need to narrow down to
>> the exact change, then I can look in the code and see what's going on in
>> there, as sambaPwdLastSet should be changed by the code.
> Hope this helps.
> Do you need more information?
>

More information about the Freeipa-users mailing list