https://bugzilla.redhat.com/show_bug.cgi?id=867072 (Red Hat Enterprise Linux 6)
Description of problem: If I create a new user (say tuser2) as follows: # ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false --addattr=sambaSID=S-1-5-21-1310149461-105972258-15305 ------------------- Added user "tuser2" ------------------- User login: tuser2 First name: Test Last name: User2 Full name: Test User2 Display name: Test User2 Initials: TU Home directory: /home/tuser2 GECOS field: Test User2 Login shell: /bin/false Kerberos principal: tuser2@CL.ATIX UID: 473000074 GID: 473000074 Password: False Kerberos keys available: False # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaPwdMustChange dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix That attribute is not set. Then I'll set a temporary password: # ipa passwd tuser2 New Password: Enter New Password again to verify: ------------------------------------- Changed password for "tuser2@CL.ATIX" ------------------------------------- I'll change the temporary password: $ ssh tuser2@methusalix2 tuser2@methusalix2's password: Password expired. Change your password now. WARNING: Your password has expired. You must change your password now and login again! Changing password for user tuser2. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to methusalix2 closed. I can login via ssh: $ ssh tuser2@methusalix2 tuser2@methusalix2's password: Last login: Fri Oct 12 16:34:26 2012 from mobilix-20.gallien.atix And the ldap attribute is still not set: # ldapsearch -LLL -x -b uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix sambaPwdMustChange dn: uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix So the access via samba fails: $ smbclient -U tuser2 -L methusalix2 -D ATIX2 Enter tuser2's password: session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE When I fix the attribute manually: # bash ~/add-sambapwdlastset2user.sh tuser2 Wrong value. Modifying to proper one.. SASL/GSSAPI authentication started SASL username: admin@CL.ATIX SASL SSF: 56 SASL data security layer installed. modifying entry "uid=tuser2,cn=users,cn=accounts,dc=cl,dc=atix" I can access samba as follows: smbclient -U tuser2 -L methusalix2 -D ATIX2 Enter tuser2's password: Domain=[ATIX2] OS=[Unix] Server=[Samba 3.5.10-125.el6] Sharename Type Comment .. So the initial setup seems to be the problem. Version-Release number of selected component (if applicable): IPA for RHEL6.3 How reproducible: See above Steps to Reproduce: 1. ipa user-add tuser2 --first=Test --last=User2 --shell=/bin/false 2. ipa passwd tuser2 3. ssh tuser2@someserver and change the password as requested 4. Access a samba server configured for ldap authentication with IPA without success: smbclient -L somesambaserver -U tuser2: Failure session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE 5. Set sambaPwdLastSet to some value via ldap. For example ldapadd <<EOF dn: uid=$1,cn=users,cn=accounts,dc=cl,dc=atix changetype: add add: sambaPwdLastSet sambaPwdLastSet: 1344931739 EOF This should do IPA for us. Actual results: Cannot access samba share. Expected results: Should be able to access shares. Additional info:
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: Future Releases
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.