[Freeipa-users] Inconsistant first login behaviour
Dmitri Pal
dpal at redhat.com
Wed Jun 8 23:32:02 UTC 2011
On 06/08/2011 06:57 PM, Steven Jones wrote:
> Attached are F15 adnd RHEL5.6 conf scripts.
You have not attached pam configurations and nsswitch for 5.6.
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz]
> Sent: Thursday, 9 June 2011 10:31 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> Hi,
>
> These files/clients have all been configured by the ipa-client-install script, so any settings are standard, I have modified nothing.
>
> So when I built all 3 client/workstations I made a default user jonesst1 at build time with password 1 and its the same across all three.
>
> So in the freeipa server I set password2 for jonesst1 which is different so I know that I am getting a centralised login....really basic stuff.
>
> So then using the ipa-client-install script I joined them each in turn to IPA....for F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the password....and I only had 1 hour......later logins are fine.
>
> So my use case is nothing more than a simple centralised login......
>
> regards
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Thursday, 9 June 2011 8:56 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/08/2011 04:04 PM, Steven Jones wrote:
>> Hi,
>>
>> Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work?
> Well the problem is that SSSD is not in 5.6 by default. ipa-client on
> 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is
> configured. In 5.7 there will be a new ipa-client that will act in the
> same way as in RHEL 6 or Fedora.
>
> But the expectation is that they should act in the same way now. But
> apparently there is some difference.
>
> We need to understand exactly what is your use case.
> What is configured in your nsswitch and pam config on RHEL and Fedora?
> And if in one case it is SSSD and not in the other we need to see SSSD
> configuration and LDAP and Kerberos configuration files.
>
>
>> regards
>>
>> Steven
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
>> Sent: Thursday, 9 June 2011 5:00 a.m.
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>>
>> On 06/07/2011 10:36 PM, Steven Jones wrote:
>>> Logging into the F15 client and I just login with the ldap password...
>>>
>>> If I try the same thing with RHEL5.6 I get told I have one hour to password expiry....
>>>
>>> I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all.
>>>
>> This is probably because in one case you log using LDAP password and in
>> another as Kerberos credential. The underlying password string is the
>> same but other properties like expiration are different as you see.
>> To have the consistent experience configure both systems to use same
>> type of the credential.
>>
>>
>>> regards
>>>
>>> Steven
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110608/0be04ba8/attachment.htm>
More information about the Freeipa-users
mailing list