From 475c064227620a075079eaf2bbaf846beab1d291 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 5 Oct 2010 18:09:12 -0400 Subject: When dealing with samba password set also the sambaPwdLastSet This attribute is required for samba to properly identify a user has changed it's password and doesn't need to change it again at next login. At the same time, if we are forcing a pssword reset we also need to let samba know the user must change its password. --- .../ipa-pwd-extop/ipapwd_common.c | 22 +++++++++++++++++- .../ipa-pwd-extop/ipapwd_prepost.c | 26 ++++++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) (limited to 'daemons') diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index a2b11e4ab..4c1092a09 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -1165,6 +1165,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, int is_smb = 0; Slapi_Value *sambaSamAccount; char *errMesg = NULL; + char *modtime = NULL; slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME, "=> ipapwd_SetPassword\n"); @@ -1224,7 +1225,25 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, slapi_mods_add_string(smods, LDAP_MOD_REPLACE, "sambaNTPassword", nt); } - + if (is_smb) { + /* with samba integration we need to also set sambaPwdLastSet or + * samba will decide the user has to change the password again */ + if (data->changetype == IPA_CHANGETYPE_ADMIN) { + /* if it is an admin change instead we need to let know to + * samba as well that the use rmust change its password */ + modtime = slapi_ch_smprintf("0"); + } else { + modtime = slapi_ch_smprintf("%ld", (long)data->timeNow); + } + if (!modtime) { + slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME, + "failed to smprintf string!\n"); + ret = LDAP_OPERATIONS_ERROR; + goto free_and_return; + } + slapi_mods_add_string(smods, LDAP_MOD_REPLACE, + "sambaPwdLastset", modtime); + } /* let DS encode the password itself, this allows also other plugins to * intercept it to perform operations like synchronization with Active * Directory domains through the replication plugin */ @@ -1252,6 +1271,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, free_and_return: if (lm) slapi_ch_free((void **)&lm); if (nt) slapi_ch_free((void **)&nt); + if (modtime) slapi_ch_free((void **)&modtime); slapi_mods_free(&smods); ipapwd_free_slapi_value_array(&svals); ipapwd_free_slapi_value_array(&pwvals); diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c index 7c95ac814..a4869813b 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c @@ -351,6 +351,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt); slapi_ch_free_string(&nt); } + + if (is_smb) { + /* with samba integration we need to also set sambaPwdLastSet or + * samba will decide the user has to change the password again */ + if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) { + /* if it is an admin change instead we need to let know to + * samba as well that the use rmust change its password */ + slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L); + } else { + slapi_entry_attr_set_long(e, "sambaPwdLastset", + (long)pwdop->pwdata.timeNow); + } + } } rc = LDAP_SUCCESS; @@ -736,6 +749,19 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) "sambaNTPassword", nt); slapi_ch_free_string(&nt); } + + if (is_smb) { + /* with samba integration we need to also set sambaPwdLastSet or + * samba will decide the user has to change the password again */ + if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) { + /* if it is an admin change instead we need to let know to + * samba as well that the use rmust change its password */ + slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L); + } else { + slapi_entry_attr_set_long(e, "sambaPwdLastset", + (long)pwdop->pwdata.timeNow); + } + } } rc = LDAP_SUCCESS; -- cgit