<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 06/08/2011 07:48 PM, Steven Jones wrote:
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E401B0E9DBE@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<pre wrap="">Hi,
nsswitch atatched.
Which pam files?
</pre>
</blockquote>
<br>
The pam configuration files.<br>
On my RHEL6 it is in /etc/pam.d/system-auth which is usually a link
to a file in the same directory.<br>
I think in 5.6 is it similar. I do not have 5.6 machine handy to
check.<br>
<br>
<blockquote
cite="mid:833D8E48405E064EBC54C84EC6B36E401B0E9DBE@STAWINCOX10MBX1.staff.vuw.ac.nz"
type="cite">
<pre wrap="">
regards
________________________________
From: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a>] on behalf of Dmitri Pal [<a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a>]
Sent: Thursday, 9 June 2011 11:32 a.m.
To: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>
Subject: Re: [Freeipa-users] Inconsistant first login behaviour
On 06/08/2011 06:57 PM, Steven Jones wrote:
Attached are F15 adnd RHEL5.6 conf scripts.
You have not attached pam configurations and nsswitch for 5.6.
regards
________________________________________
From: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users-bounces@redhat.com"><mailto:freeipa-users-bounces@redhat.com></a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users-bounces@redhat.com"><mailto:freeipa-users-bounces@redhat.com></a>] on behalf of Steven Jones [<a class="moz-txt-link-abbreviated" href="mailto:Steven.Jones@vuw.ac.nz">Steven.Jones@vuw.ac.nz</a><a class="moz-txt-link-rfc2396E" href="mailto:Steven.Jones@vuw.ac.nz"><mailto:Steven.Jones@vuw.ac.nz></a>]
Sent: Thursday, 9 June 2011 10:31 a.m.
To: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><mailto:freeipa-users@redhat.com></a>
Subject: Re: [Freeipa-users] Inconsistant first login behaviour
Hi,
These files/clients have all been configured by the ipa-client-install script, so any settings are standard, I have modified nothing.
So when I built all 3 client/workstations I made a default user jonesst1 at build time with password 1 and its the same across all three.
So in the freeipa server I set password2 for jonesst1 which is different so I know that I am getting a centralised login....really basic stuff.
So then using the ipa-client-install script I joined them each in turn to IPA....for F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the password....and I only had 1 hour......later logins are fine.
So my use case is nothing more than a simple centralised login......
regards
________________________________________
From: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users-bounces@redhat.com"><mailto:freeipa-users-bounces@redhat.com></a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users-bounces@redhat.com"><mailto:freeipa-users-bounces@redhat.com></a>] on behalf of Dmitri Pal [<a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><mailto:dpal@redhat.com></a>]
Sent: Thursday, 9 June 2011 8:56 a.m.
To: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><mailto:freeipa-users@redhat.com></a>
Subject: Re: [Freeipa-users] Inconsistant first login behaviour
On 06/08/2011 04:04 PM, Steven Jones wrote:
Hi,
Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work?
Well the problem is that SSSD is not in 5.6 by default. ipa-client on
5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is
configured. In 5.7 there will be a new ipa-client that will act in the
same way as in RHEL 6 or Fedora.
But the expectation is that they should act in the same way now. But
apparently there is some difference.
We need to understand exactly what is your use case.
What is configured in your nsswitch and pam config on RHEL and Fedora?
And if in one case it is SSSD and not in the other we need to see SSSD
configuration and LDAP and Kerberos configuration files.
regards
Steven
________________________________________
From: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users-bounces@redhat.com"><mailto:freeipa-users-bounces@redhat.com></a> [<a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users-bounces@redhat.com"><mailto:freeipa-users-bounces@redhat.com></a>] on behalf of Dmitri Pal [<a class="moz-txt-link-abbreviated" href="mailto:dpal@redhat.com">dpal@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><mailto:dpal@redhat.com></a>]
Sent: Thursday, 9 June 2011 5:00 a.m.
To: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><mailto:freeipa-users@redhat.com></a>
Subject: Re: [Freeipa-users] Inconsistant first login behaviour
On 06/07/2011 10:36 PM, Steven Jones wrote:
Logging into the F15 client and I just login with the ldap password...
If I try the same thing with RHEL5.6 I get told I have one hour to password expiry....
I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all.
This is probably because in one case you log using LDAP password and in
another as Kerberos credential. The underlying password string is the
same but other properties like expiration are different as you see.
To have the consistent experience configure both systems to use same
type of the credential.
regards
Steven
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:Freeipa-users@redhat.com"><mailto:Freeipa-users@redhat.com></a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><a class="moz-txt-link-rfc2396E" href="http://www.redhat.com/carveoutcosts/"><http://www.redhat.com/carveoutcosts/></a>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:Freeipa-users@redhat.com"><mailto:Freeipa-users@redhat.com></a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:Freeipa-users@redhat.com"><mailto:Freeipa-users@redhat.com></a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><a class="moz-txt-link-rfc2396E" href="http://www.redhat.com/carveoutcosts/"><http://www.redhat.com/carveoutcosts/></a>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:Freeipa-users@redhat.com"><mailto:Freeipa-users@redhat.com></a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:Freeipa-users@redhat.com"><mailto:Freeipa-users@redhat.com></a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><a class="moz-txt-link-rfc2396E" href="mailto:Freeipa-users@redhat.com"><mailto:Freeipa-users@redhat.com></a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><a class="moz-txt-link-rfc2396E" href="http://www.redhat.com/carveoutcosts/"><http://www.redhat.com/carveoutcosts/></a>
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>