On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote: > Am 15.10.2012 15:50, schrieb Simo Sorce: > > On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote: > >> Am 14.10.2012 23:14, schrieb Simo Sorce: > >>> On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote: > >>> Right I am ok with sambaPwdMustChange not being set. That's all good. > >>> What about sambaPwdLastSet ? > >> Not set when a user is created new. > > It should be set when you give the user a password as long at the > > sambaSamAccount objectclass is added to the user. > > > >> When I change the password: > >> sambaPwdLastSet: 0 > > If this is when you set the password as an admin, it is expected. > Ok, understood. But it should change when the user resets his/her > password, right? > And that is not happening. > When the user sets his/her password the sambaPwdLastSet stays untouched.
That's odd, how does the user change the password ? > >> Not working with samba! > >> Need to apply my script (see below). > > Let me ask one thing, are you changing the password as a user ? > > Or have you tested only setting the password as admin ? > I set the initial password as admin. > Then the user logs in to a server (sssd, ssh, ipa-member) and is > requested to change his/her password. This works but the sambaPwdLastSet > stays untouched. Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ? > > If the latter this applies: > > http://www.freeipa.org/page/NewPasswordsExpired > Checked it. But that was my understanding nevertheless. > > > > I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign > > > > > > Simo. > > > # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false > --setattr=SambaSID=S-1-5-21-xx-xx-xx-assign > ------------------- > Added user "tuser2" > ------------------- > User login: tuser2 > First name: Test > Last name: User2 > Full name: Test User2 > Display name: Test User2 > Initials: TU > Home directory: /home/tuser2 > GECOS field: Test User2 > Login shell: /bin/false > Kerberos principal: tus...@cl.atix > UID: 473000078 > GID: 473000078 > Password: False > Kerberos keys available: False > # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > sambaSID > SASL/GSSAPI authentication started > SASL username: ad...@cl.atix > SASL SSF: 56 > SASL data security layer installed. > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > sambaSID: S-1-5-21-xx-xx-xx-assign > > The following objectclasses are being set when creating a new user: > # ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" > objectClass > SASL/GSSAPI authentication started > SASL username: ad...@cl.atix > SASL SSF: 56 > SASL data security layer installed. > dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix > objectClass: top > objectClass: person > objectClass: organizationalperson > objectClass: inetorgperson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: ipaobject > objectClass: sambaSAMAccount > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > > Thanks for your help Seem like a DNA bug ... then, Nathan do you have any idea ? -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users