When dealing with samba password set also the sambaPwdLastSet

This attribute is required for samba to properly identify a user has changed it's password and doesn't need to change it again at next login. At the same time, if we are forcing a pssword reset we also need to let samba know the user must change its password.
author: Simo Sorce <ssorce@redhat.com> 2010-10-05 18:09:12 -0400
committer: Simo Sorce <ssorce@redhat.com> 2010-10-07 07:53:36 -0400
commit: 475c064227620a075079eaf2bbaf846beab1d291 (patch)
tree: 990eb2627ac10d397508bea34728d183e11b4ac2 /daemons
parent: ceb91a3f7175307e4fbae929e98063fba8cc9123 (diff)
download: freeipa-475c064227620a075079eaf2bbaf846beab1d291.tar.gz
freeipa-475c064227620a075079eaf2bbaf846beab1d291.tar.xz
freeipa-475c064227620a075079eaf2bbaf846beab1d291.zip
2 files changed, 47 insertions, 1 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
index a2b11e4a..4c1092a0 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c
@@ -1165,6 +1165,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
     int is_smb = 0;
     Slapi_Value *sambaSamAccount;
     char *errMesg = NULL;
+    char *modtime = NULL;
 
     slapi_log_error(SLAPI_LOG_TRACE, IPAPWD_PLUGIN_NAME,
                     "=> ipapwd_SetPassword\n");
@@ -1224,7 +1225,25 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
         slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
                               "sambaNTPassword", nt);
     }
-
+    if (is_smb) {
+        /* with samba integration we need to also set sambaPwdLastSet or
+         * samba will decide the user has to change the password again */
+        if (data->changetype == IPA_CHANGETYPE_ADMIN) {
+            /* if it is an admin change instead we need to let know to
+             * samba as well that the use rmust change its password */
+            modtime = slapi_ch_smprintf("0");
+        } else {
+            modtime = slapi_ch_smprintf("%ld", (long)data->timeNow);
+        }
+        if (!modtime) {
+            slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME,
+                            "failed to smprintf string!\n");
+            ret = LDAP_OPERATIONS_ERROR;
+            goto free_and_return;
+        }
+        slapi_mods_add_string(smods, LDAP_MOD_REPLACE,
+                              "sambaPwdLastset", modtime);
+    }
     /* let DS encode the password itself, this allows also other plugins to
      * intercept it to perform operations like synchronization with Active
      * Directory domains through the replication plugin */
@@ -1252,6 +1271,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg,
 free_and_return:
     if (lm) slapi_ch_free((void **)&lm);
     if (nt) slapi_ch_free((void **)&nt);
+    if (modtime) slapi_ch_free((void **)&modtime);
     slapi_mods_free(&smods);
     ipapwd_free_slapi_value_array(&svals);
     ipapwd_free_slapi_value_array(&pwvals);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
index 7c95ac81..a4869813 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_prepost.c
@@ -351,6 +351,19 @@ static int ipapwd_pre_add(Slapi_PBlock *pb)
             slapi_entry_attr_set_charptr(e, "sambaNTPassword", nt);
             slapi_ch_free_string(&nt);
         }
+
+        if (is_smb) {
+            /* with samba integration we need to also set sambaPwdLastSet or
+             * samba will decide the user has to change the password again */
+            if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) {
+                /* if it is an admin change instead we need to let know to
+                * samba as well that the use rmust change its password */
+                slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L);
+            } else {
+                slapi_entry_attr_set_long(e, "sambaPwdLastset",
+                                      (long)pwdop->pwdata.timeNow);
+            }
+        }
     }
 
     rc = LDAP_SUCCESS;
@@ -736,6 +749,19 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
                                   "sambaNTPassword", nt);
             slapi_ch_free_string(&nt);
         }
+
+        if (is_smb) {
+            /* with samba integration we need to also set sambaPwdLastSet or
+             * samba will decide the user has to change the password again */
+            if (pwdop->pwdata.changetype == IPA_CHANGETYPE_ADMIN) {
+                /* if it is an admin change instead we need to let know to
+                * samba as well that the use rmust change its password */
+                slapi_entry_attr_set_long(e, "sambaPwdLastset", 0L);
+            } else {
+                slapi_entry_attr_set_long(e, "sambaPwdLastset",
+                                      (long)pwdop->pwdata.timeNow);
+            }
+        }
     }
 
     rc = LDAP_SUCCESS;
author	Simo Sorce <ssorce@redhat.com>	2010-10-05 18:09:12 -0400
committer	Simo Sorce <ssorce@redhat.com>	2010-10-07 07:53:36 -0400
commit	475c064227620a075079eaf2bbaf846beab1d291 (patch)
tree	990eb2627ac10d397508bea34728d183e11b4ac2 /daemons
parent	ceb91a3f7175307e4fbae929e98063fba8cc9123 (diff)
download	freeipa-475c064227620a075079eaf2bbaf846beab1d291.tar.gz freeipa-475c064227620a075079eaf2bbaf846beab1d291.tar.xz freeipa-475c064227620a075079eaf2bbaf846beab1d291.zip