Marc Grimme wrote:
Am 12.10.2012 16:19, schrieb Simo Sorce:
On Fri, 2012-10-12 at 13:20 +0200, Marc Grimme wrote:
Am 11.10.2012 18:12, schrieb Simo Sorce:
On Thu, 2012-10-11 at 17:48 +0200, Marc Grimme wrote:
On Do 11 Okt 2012 14:37:57 CEST, Simo Sorce wrote:
No they are integrated in the Kerberos Domain of IPA but not joined to
the samba domain.
Ok. Sorry I'm using ldap passwd sync=Yes Is that wrong?
Yes, you should use "ldap passwd sync = only"
Ok, I set it as suggested.
Further testing.
I have a user called tuser.
1. Reset the password:
ipaserver1 # ipa passwd tuser
New Password:
Enter New Password again to verify:
------------------------------------
Changed password for "tu...@cl.atix"
------------------------------------
2. Login to another server via ssh:
$ ssh tuser@methusalix2
tuser@methusalix2's password:
Password expired. Change your password now.
Last login: Thu Oct 11 17:41:47 2012 from 10.8.0.138
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuser.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to methusalix2 closed.
$ ssh tuser@methusalix2
tuser@methusalix2's password:
Permission denied, please try again.
tuser@methusalix2's password:
Last login: Thu Oct 11 17:42:17 2012 from 10.8.0.138
-bash-4.1$
=> SSH Login works (Kerberos PW is set).
3. Let's browse Samba:
$ smbclient -U tuser -L methusalix2
Enter tuser's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
Any ideas what's going wrong?
Uhmm seem one of the samba attributes has not been properly changed ...
Yes. I realized the attribute sambaPwdLastSet was not set or wrongly set
(=0).
I adapted it on a few users and the problem with the
NT_STATUS_PASSWORD_MUST_CHANGE went away.
Still the problem is what happens when they change their password again.
It looks like ldap passwd sync=yes should normally keep track of that.
Any ideas how I can get that running?
As far as I can see our code does set sambaPwdLastset as well (exactly
to avoid samba complain about must set).
Can you do a test password change an dverify if we always fail to set
it ? And what are the values before/after the attempt (in either case) ?
After me switching to
ldap passwd sync = only
I cannot see it changing the values if already set.
But for new users it might not be set. As I have some without these
attributes set.
If I create a new user (say tuser2) as follows:
# ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
--addattr=sambaSID=S-1-5-21-1310149461-105972258-15305
-------------------
Added user "tuser2"
-------------------
User login: tuser2
First name: Test
Last name: User2
Full name: Test User2
Display name: Test User2
Initials: TU
Home directory: /home/tuser2
GECOS field: Test User2
Login shell: /bin/false
Kerberos principal: tus...@cl.atix
UID: 473000074
GID: 473000074
Password: False
Kerberos keys available: False
# ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
sambaPwdMustChange
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
That attribute is not set.
Then I'll set a temporary password:
# ipa passwd tuser2
New Password:
Enter New Password again to verify:
-------------------------------------
Changed password for "tus...@cl.atix"
-------------------------------------
I'll change the temporary password:
$ ssh tuser2@methusalix2
tuser2@methusalix2's password:
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuser2.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to methusalix2 closed.
I can login via ssh:
$ ssh tuser2@methusalix2
tuser2@methusalix2's password:
Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix
And the ldap attribute is still not set:
# ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
sambaPwdMustChange
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
So the access via samba fails:
$ smbclient -U tuser2 -L methusalix2 -D ATIX2
Enter tuser2's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
When I fix the attribute manually:
# bash ~/add-sambapwdlastset2user.sh tuser2
Wrong value. Modifying to proper one..
SASL/GSSAPI authentication started
SASL username: ad...@cl.atix
SASL SSF: 56
SASL data security layer installed.
modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
I can access samba as follows:
smbclient -U tuser2 -L methusalix2 -D ATIX2
Enter tuser2's password:
Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6]
Sharename Type Comment
..
So the initial setup seems to be the problem, right?
Besides:
It also looks like the Distributed Numerica Assignment Plugin seems to
be not working. As I always have to manually specify the SID of the user:
ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
--addattr=sambaSID=S-1-5-21-1310149461-105972258-15305
Although my configurations looks ok, doesn't it?
# ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W
Enter LDAP Password:
dn: cn=SambaSid,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnaprefix: S-1-5-21-1310149461-105972258-
dnainterval: 1
dnamagicregen: assign
dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
dnascope: dc=atix,dc=cl
cn: SambaSid
dnanextvalue: 15400
For DNA to kick in the attribute you want to set needs to have the magic
regen value in it, in this case the string "assign". So when adding a
new user you want to have --setattr sambaSID=assign. Or you could create
a small IPA plugin to add this automatically.
Incidentally, the 389-ds team recommends against using string values for
the DNA magic value.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
