Bug 867072

Summary: IPA with Samba: sambaPwdLastSet is not properly set when user changes password
Product: Red Hat Enterprise Linux 7 Reporter: Marc Grimme <grimme>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED WONTFIX QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: mkosek, sbose
Target Milestone: rc   
Target Release: 7.1   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-29 13:03:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marc Grimme 2012-10-16 17:17:30 UTC
Description of problem:
If I create a new user (say tuser2) as follows:
# ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
--addattr=sambaSID=S-1-5-21-1310149461-105972258-15305
-------------------
Added user "tuser2"
-------------------
  User login: tuser2
  First name: Test
  Last name: User2
  Full name: Test User2
  Display name: Test User2
  Initials: TU
  Home directory: /home/tuser2
  GECOS field: Test User2
  Login shell: /bin/false
  Kerberos principal: tuser2
  UID: 473000074
  GID: 473000074
  Password: False
  Kerberos keys available: False
# ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
sambaPwdMustChange
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix

That attribute is not set.
Then I'll set a temporary password:

# ipa passwd tuser2
New Password:
Enter New Password again to verify:
-------------------------------------
Changed password for "tuser2"
-------------------------------------

I'll change the temporary password:

$ ssh tuser2@methusalix2
tuser2@methusalix2's password:
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuser2.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to methusalix2 closed.

I can login via ssh:
$ ssh  tuser2@methusalix2
tuser2@methusalix2's password:
Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix

And the ldap attribute is still not set:
# ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
sambaPwdMustChange
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix

So the access via samba fails:
$ smbclient -U tuser2 -L methusalix2 -D ATIX2
Enter tuser2's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

When I fix the attribute manually:
# bash ~/add-sambapwdlastset2user.sh tuser2
Wrong value. Modifying to proper one..
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"

I can access samba as follows:
smbclient -U tuser2 -L methusalix2 -D ATIX2
Enter tuser2's password:
Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6]

    Sharename       Type      Comment
..

So the initial setup seems to be the problem.

Version-Release number of selected component (if applicable):
IPA for RHEL6.3

How reproducible:
See above

Steps to Reproduce:
1. ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
2. ipa passwd tuser2
3. ssh tuser2@someserver and change the password as requested
4. Access a samba server configured for ldap authentication with IPA without success: smbclient -L somesambaserver -U tuser2: Failure
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
5. Set sambaPwdLastSet to some value via ldap. For example
  ldapadd <<EOF
dn: uid=$1,cn=users,cn=accounts,dc=cl,dc=atix
changetype: add
add: sambaPwdLastSet
sambaPwdLastSet: 1344931739
EOF
This should do IPA for us.
  
Actual results:
Cannot access samba share.

Expected results:
Should be able to access shares.

Additional info:

Comment 2 Rob Crittenden 2012-10-23 12:12:35 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3206

Comment 4 Martin Kosek 2016-01-29 13:03:03 UTC
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.