[Freeipa-users] Inconsistant first login behaviour
Dmitri Pal
dpal at redhat.com
Thu Jun 9 14:57:36 UTC 2011
On 06/08/2011 07:48 PM, Steven Jones wrote:
> Hi,
>
> nsswitch atatched.
>
> Which pam files?
The pam configuration files.
On my RHEL6 it is in /etc/pam.d/system-auth which is usually a link to a
file in the same directory.
I think in 5.6 is it similar. I do not have 5.6 machine handy to check.
> regards
> ________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri Pal [dpal at redhat.com]
> Sent: Thursday, 9 June 2011 11:32 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/08/2011 06:57 PM, Steven Jones wrote:
>
> Attached are F15 adnd RHEL5.6 conf scripts.
>
>
> You have not attached pam configurations and nsswitch for 5.6.
>
> regards
> ________________________________________
> From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Steven Jones [Steven.Jones at vuw.ac.nz<mailto:Steven.Jones at vuw.ac.nz>]
> Sent: Thursday, 9 June 2011 10:31 a.m.
> To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> Hi,
>
> These files/clients have all been configured by the ipa-client-install script, so any settings are standard, I have modified nothing.
>
> So when I built all 3 client/workstations I made a default user jonesst1 at build time with password 1 and its the same across all three.
>
> So in the freeipa server I set password2 for jonesst1 which is different so I know that I am getting a centralised login....really basic stuff.
>
> So then using the ipa-client-install script I joined them each in turn to IPA....for F15 and 6.1 clients they now accept the IPA password2 without an issue...for RHEL 5.6 it initially asked to reset the password....and I only had 1 hour......later logins are fine.
>
> So my use case is nothing more than a simple centralised login......
>
> regards
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Dmitri Pal [dpal at redhat.com<mailto:dpal at redhat.com>]
> Sent: Thursday, 9 June 2011 8:56 a.m.
> To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/08/2011 04:04 PM, Steven Jones wrote:
>
>
> Hi,
>
> Can you fix 5.6 so it runs the ipa-client-install script the same way then please? because running the same command giving differing results seems strange....unless you are telling me its simply the way rhel5.6 will work?
>
>
> Well the problem is that SSSD is not in 5.6 by default. ipa-client on
> 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is
> configured. In 5.7 there will be a new ipa-client that will act in the
> same way as in RHEL 6 or Fedora.
>
> But the expectation is that they should act in the same way now. But
> apparently there is some difference.
>
> We need to understand exactly what is your use case.
> What is configured in your nsswitch and pam config on RHEL and Fedora?
> And if in one case it is SSSD and not in the other we need to see SSSD
> configuration and LDAP and Kerberos configuration files.
>
>
>
>
> regards
>
> Steven
> ________________________________________
> From: freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com> [freeipa-users-bounces at redhat.com<mailto:freeipa-users-bounces at redhat.com>] on behalf of Dmitri Pal [dpal at redhat.com<mailto:dpal at redhat.com>]
> Sent: Thursday, 9 June 2011 5:00 a.m.
> To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/07/2011 10:36 PM, Steven Jones wrote:
>
>
> Logging into the F15 client and I just login with the ldap password...
>
> If I try the same thing with RHEL5.6 I get told I have one hour to password expiry....
>
> I'd like it to do one or other across platforms....and be able to set this behaviour, per user....or not at all.
>
>
>
> This is probably because in one case you log using LDAP password and in
> another as Kerberos credential. The underlying password string is the
> same but other properties like expiration are different as you see.
> To have the consistent experience configure both systems to use same
> type of the credential.
>
>
>
>
> regards
>
> Steven
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com<mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110609/06467878/attachment.htm>
More information about the Freeipa-users
mailing list