On 10/12/2012 07:20 AM, Marc Grimme wrote: > Am 11.10.2012 18:12, schrieb Simo Sorce: >> On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote: >>> On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote: >>> No they are integrated in the Kerberos Domain of IPA but not joined to >>> the samba domain. >>>> Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong? >> Yes, you should use "ldap passwd sync = only" > Ok, I set it as suggested. >>> Further testing. >>> I have a user called tuser. >>> 1. Reset the password: >>> ipaserver1 # ipa passwd tuser >>> New Password: >>> Enter New Password again to verify: >>> ------------------------------------ >>> Changed password for "tu...@cl.atix" >>> ------------------------------------ >>> 2. Login to another server via ssh: >>> $ ssh tuser@methusalix2 >>> tuser@methusalix2's password: >>> Password expired. Change your password now. >>> Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138 >>> WARNING: Your password has expired. >>> You must change your password now and login again! >>> Changing password for user tuser. >>> Current Password: >>> New password: >>> Retype new password: >>> passwd: all authentication tokens updated successfully. >>> Connection to methusalix2 closed. >>> $ ssh tuser@methusalix2 >>> tuser@methusalix2's password: >>> Permission denied, please try again. >>> tuser@methusalix2's password: >>> Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138 >>> -bash-4.1$ >>> => SSH Login works (Kerberos PW is set). >>> 3. Let's browse Samba: >>> $ smbclient -U tuser -L methusalix2 >>> Enter tuser's password: >>> session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE >>> >>> Any ideas what's going wrong? >> Uhmm seem one of the samba attributes has not been properly changed ... > Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set > (=0). > I adapted it on a few users and the problem with the > NT_STATUS_PASSWORD_MUST_CHANGE went away. > Still the problem is what happens when they change their password again. > It looks like ldap passwd sync=yes should normally keep track of that. > Any ideas how I can get that running? > > You also mentioned that one can use ldappasswd to get Samba to change > the passwords per user. > How should this be done? > passwd program = /usr/bin/ldappasswd ?? > >> This is IPA on RHEL6.3 ? > Yes RHEL6.3 plain. >> Can you check if the use has the attribute sambaPwdMustChange set ?
Should we open a ticket to manage this attribute? > No not anywhere. See above (sambaPwdLastSet). >> Apparently the IPA passoword plugin does not touch it. > No it doesn't. I'd say it should touch sambaPwdLastSet. Shouldn't it? >> Simo. >> > Marc. > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
