[Freeipa-users] Resynchronize Samba Passwort

Marc Grimme grimme at atix.de
Wed Oct 17 06:38:30 UTC 2012 

Am 16.10.2012 23:40, schrieb Simo Sorce:
> On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote:
>> On 10/16/2012 05:21 AM, Simo Sorce wrote:
>>> On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote:
>>>> Am 15.10.2012 15:50, schrieb Simo Sorce:
>>>>> On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote:
>>>>>> Am 14.10.2012 23:14, schrieb Simo Sorce:
>>>>>>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
>>>>>>> Right I am ok with sambaPwdMustChange not being set. That's all good.
>>>>>>> What about sambaPwdLastSet ?
>>>>>> Not set when a user is created new.
>>>>> It should be set when you give the user a password as long at the
>>>>> sambaSamAccount objectclass is added to the user.
>>>>>
>>>>>> When I change the password:
>>>>>> sambaPwdLastSet: 0
>>>>> If this is when you set the password as an admin, it is expected.
>>>> Ok, understood. But it should change when the user resets his/her
>>>> password, right?
>>>> And that is not happening.
>>>> When the user sets his/her password the sambaPwdLastSet stays untouched.
>>> That's odd, how does the user change the password ?
>>>
>>>>>> Not working with samba!
>>>>>> Need to apply my script (see below).
>>>>> Let me ask one thing, are you changing the password as a user ?
>>>>> Or have you tested only setting the password as admin ?
>>>> I set  the initial password as admin.
>>>> Then the user logs in to a server (sssd, ssh, ipa-member) and is
>>>> requested to change his/her password. This works but the sambaPwdLastSet
>>>> stays untouched.
>>> Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ?
>>>
>>>>> If the latter this applies:
>>>>> http://www.freeipa.org/page/NewPasswordsExpired
>>>> Checked it. But that was my understanding nevertheless.
>>>>> I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign
>>>>>
>>>>>
>>>>> Simo.
>>>>>
>>>> # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
>>>> --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign
>>>> -------------------
>>>> Added user "tuser2"
>>>> -------------------
>>>>    User login: tuser2
>>>>    First name: Test
>>>>    Last name: User2
>>>>    Full name: Test User2
>>>>    Display name: Test User2
>>>>    Initials: TU
>>>>    Home directory: /home/tuser2
>>>>    GECOS field: Test User2
>>>>    Login shell: /bin/false
>>>>    Kerberos principal: tuser2 at CL.ATIX
>>>>    UID: 473000078
>>>>    GID: 473000078
>>>>    Password: False
>>>>    Kerberos keys available: False
>>>> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
>>>> sambaSID
>>>> SASL/GSSAPI authentication started
>>>> SASL username: admin at CL.ATIX
>>>> SASL SSF: 56
>>>> SASL data security layer installed.
>>>> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
>>>> sambaSID: S-1-5-21-xx-xx-xx-assign
>>>>
>>>> The following objectclasses are being set when creating a new user:
>>>> # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
>>>> objectClass
>>>> SASL/GSSAPI authentication started
>>>> SASL username: admin at CL.ATIX
>>>> SASL SSF: 56
>>>> SASL data security layer installed.
>>>> dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalperson
>>>> objectClass: inetorgperson
>>>> objectClass: inetuser
>>>> objectClass: posixaccount
>>>> objectClass: krbprincipalaux
>>>> objectClass: krbticketpolicyaux
>>>> objectClass: ipaobject
>>>> objectClass: sambaSAMAccount
>>>> objectClass: ipasshuser
>>>> objectClass: ipaSshGroupOfPubKeys
>>>> objectClass: mepOriginEntry
>>>>
>>>> Thanks for your help
>>> Seem like a DNA bug ... then,
>>>
>>> Nathan do you have any idea ?
>> What DNA configuration is used?
> >From a previous mail this look to be the config.
>
> Marc is this still correct ?
>
> Although my configurations looks ok, doesn't it?
> # ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W
> Enter LDAP Password:
> dn: cn=SambaSid,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> dnatype: sambaSID
> dnaprefix: S-1-5-21-1310149461-105972258-
> dnainterval: 1
> dnamagicregen: assign
> dnafilter:
> (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
> dnascope: dc=atix,dc=cl
> cn: SambaSid
> dnanextvalue: 15400
Yes didn't change anything.

And I already tried --setattr=sambaSid=assign and
--setattr=sambaSid=S-1-5-..-assign. Both didn't lead to an attribute
sambaSid being set per user.

Thanks Marc.

-- 

Marc Grimme

E-Mail: grimme( at )atix.de

More information about the Freeipa-users mailing list