Bug 867072 - IPA with Samba: sambaPwdLastSet is not properly set when user changes password
IPA with Samba: sambaPwdLastSet is not properly set when user changes password
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Linux
high Severity high
: rc
: 7.1
Assigned To: Martin Kosek
Depends On:
  Show dependency treegraph
Reported: 2012-10-16 13:17 EDT by Marc Grimme
Modified: 2016-01-29 08:03 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-29 08:03:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marc Grimme 2012-10-16 13:17:30 EDT
Description of problem:
If I create a new user (say tuser2) as follows:
# ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
Added user "tuser2"
  User login: tuser2
  First name: Test
  Last name: User2
  Full name: Test User2
  Display name: Test User2
  Initials: TU
  Home directory: /home/tuser2
  GECOS field: Test User2
  Login shell: /bin/false
  Kerberos principal: tuser2@CL.ATIX
  UID: 473000074
  GID: 473000074
  Password: False
  Kerberos keys available: False
# ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix

That attribute is not set.
Then I'll set a temporary password:

# ipa passwd tuser2
New Password:
Enter New Password again to verify:
Changed password for "tuser2@CL.ATIX"

I'll change the temporary password:

$ ssh tuser2@methusalix2
tuser2@methusalix2's password:
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user tuser2.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to methusalix2 closed.

I can login via ssh:
$ ssh  tuser2@methusalix2
tuser2@methusalix2's password:
Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix

And the ldap attribute is still not set:
# ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix
dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix

So the access via samba fails:
$ smbclient -U tuser2 -L methusalix2 -D ATIX2
Enter tuser2's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

When I fix the attribute manually:
# bash ~/add-sambapwdlastset2user.sh tuser2
Wrong value. Modifying to proper one..
SASL/GSSAPI authentication started
SASL username: admin@CL.ATIX
SASL data security layer installed.
modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix"

I can access samba as follows:
smbclient -U tuser2 -L methusalix2 -D ATIX2
Enter tuser2's password:
Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6]

    Sharename       Type      Comment

So the initial setup seems to be the problem.

Version-Release number of selected component (if applicable):
IPA for RHEL6.3

How reproducible:
See above

Steps to Reproduce:
1. ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false
2. ipa passwd tuser2
3. ssh tuser2@someserver and change the password as requested
4. Access a samba server configured for ldap authentication with IPA without success: smbclient -L somesambaserver -U tuser2: Failure
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE
5. Set sambaPwdLastSet to some value via ldap. For example
  ldapadd <<EOF
dn: uid=$1,cn=users,cn=accounts,dc=cl,dc=atix
changetype: add
add: sambaPwdLastSet
sambaPwdLastSet: 1344931739
This should do IPA for us.
Actual results:
Cannot access samba share.

Expected results:
Should be able to access shares.

Additional info:
Comment 2 Rob Crittenden 2012-10-23 08:12:35 EDT
Upstream ticket:
Comment 4 Martin Kosek 2016-01-29 08:03:03 EST
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. Unfortunately, this bug was not given a priority and was deferred both in the upstream project and in Red Hat Enterprise Linux.

Given that we are unable to fulfill this request in following Red Hat Enterprise Linux releases, I am closing the Bugzilla as WONTFIX. To request that Red Hat re-considers the decision, please re-open the Bugzilla via appropriate support channels and provide additional business and/or technical details about its importance to you.

Note that you can still track this request or even contribute patches in the referred upstream Trac ticket.

Note You need to log in before you can comment on or make changes to this bug.