On 10/16/2012 02:40 PM, Simo Sorce wrote:
On Tue, 2012-10-16 at 14:22 -0700, Nathan Kinder wrote:
On 10/16/2012 05:21 AM, Simo Sorce wrote:
On Tue, 2012-10-16 at 10:06 +0200, Marc Grimme wrote:
Am 15.10.2012 15:50, schrieb Simo Sorce:
On Mon, 2012-10-15 at 14:15 +0200, Marc Grimme wrote:
Am 14.10.2012 23:14, schrieb Simo Sorce:
On Fri, 2012-10-12 at 16:47 +0200, Marc Grimme wrote:
Right I am ok with sambaPwdMustChange not being set. That's all good.
What about sambaPwdLastSet ?
Not set when a user is created new.
It should be set when you give the user a password as long at the
sambaSamAccount objectclass is added to the user.
When I change the password:
sambaPwdLastSet: 0
If this is when you set the password as an admin, it is expected.
Ok, understood. But it should change when the user resets his/her
password, right?
And that is not happening.
When the user sets his/her password the sambaPwdLastSet stays untouched.
That's odd, how does the user change the password ?
Not working with samba!
Need to apply my script (see below).
Let me ask one thing, are you changing the password as a user ?
Or have you tested only setting the password as admin ?
I set the initial password as admin.
Then the user logs in to a server (sssd, ssh, ipa-member) and is
requested to change his/her password. This works but the sambaPwdLastSet
stays untouched.
Ok this is clearly a bug, can you open a bugzilla against RHEL 6.3 ?
If the latter this applies:
http://www.freeipa.org/page/NewPasswordsExpired
Checked it. But that was my understanding nevertheless.
I think it may require: SambaSID=S-1-5-21-xx-xx-xx-assign
Simo.
# ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
--setattr=SambaSID=S-1-5-21-xx-xx-xx-assign
I think that this needs to be --setattr=assign. The prefix should not
be included when specifying the magic value to trigger generation.
-------------------
Added user "tuser2"
-------------------
User login: tuser2
First name: Test
Last name: User2
Full name: Test User2
Display name: Test User2
Initials: TU
Home directory: /home/tuser2
GECOS field: Test User2
Login shell: /bin/false
Kerberos principal: tus...@cl.atix
UID: 473000078
GID: 473000078
Password: False
Kerberos keys available: False
# ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
sambaSID
SASL/GSSAPI authentication started
SASL username: ad...@cl.atix
SASL SSF: 56
SASL data security layer installed.
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
sambaSID: S-1-5-21-xx-xx-xx-assign
The following objectclasses are being set when creating a new user:
# ldapsearch -LLL -b "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"
objectClass
SASL/GSSAPI authentication started
SASL username: ad...@cl.atix
SASL SSF: 56
SASL data security layer installed.
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: sambaSAMAccount
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
Thanks for your help
Seem like a DNA bug ... then,
Nathan do you have any idea ?
What DNA configuration is used?
>From a previous mail this look to be the config.
Marc is this still correct ?
Although my configurations looks ok, doesn't it?
# ldapsearch -LLL -b "cn=SambaSID,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config" -D "cn=Directory Manager" -x -W
Enter LDAP Password:
dn: cn=SambaSid,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnaprefix: S-1-5-21-1310149461-105972258-
dnainterval: 1
dnamagicregen: assign
dnafilter:
(|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
dnascope: dc=atix,dc=cl
cn: SambaSid
dnanextvalue: 15400
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
