Samba process needs to initiate re-generation of ipaNTHash attribute based on Kerberos key. This regeneration happens when ipaNTHash is replaced with a value of MagicRegen.
Unfortunately, default ACIs prevent adtrust agents group to modify ipaNTHash.
Patch is on the list and includes testing instructions: https://www.redhat.com/archives/freeipa-devel/2012-August/msg00227.html
Committed to master:155d1ef and 6171d0a
Committed to 3.0: 9cb3093 and c6e4ac7
Moving closed RC1 tickets to Beta 3.
Metadata Update from @abbra: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.0 Beta 3
Login to comment on this ticket.