[Freeipa-users] Cmd-line Unprovision & OTP setting for a host
Dmitri Pal
dpal at redhat.com
Tue Sep 18 14:41:46 UTC 2012
On 09/18/2012 07:34 AM, Charlie Derwent wrote:
> Hi
>
> I've used "ipa host-disable ${HOST}; ipa host-mod --password=${PASS}
> ${HOST}" In the past and that seems to work quite well. The ideal for
> me would be a situation where the IPA information could persist
> between rebuilds.
Can you please elaborate more?
Between rebuilds of what client or server?
And what information you want to persist: cert, keytab, OTP?
Thanks
Dmitri
>
> Cheers,
> Charlie
> On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan
> <Duncan.Innes at virginmoney.com <mailto:Duncan.Innes at virginmoney.com>>
> wrote:
>
> Folks,
>
> Juggling a problem here that perhaps doesn't have a perfect solution.
> I'm looking at systems that get re-provisioned by a
> Satellite/Spacewalk/Installation method. For full (Free)IPA
> integration, we normally delete the old entry from IPA, create a
> new one
> from scratch and set the OTP to match what we put in our post-install
> script called by the kickstart file.
>
> Just noticed that I can do the same thing by Unprovisioning the system
> via the WebUI and then setting the OTP.
>
> Is there a way to Unprovision a registered host and set a OTP via the
> command line? I was looking at 'ipa host-mod --setattr' but not
> getting
> too far with the Unprovisioning aspect.
>
> Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476
> <tel:%2B44%201603%20215476> | +44
> 7801 134507 | duncan.innes at virginmoney.com
> <mailto:duncan.innes at virginmoney.com>
>
>
>
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>
> > [mailto:freeipa-users-bounces at redhat.com
> <mailto:freeipa-users-bounces at redhat.com>] On Behalf Of JR Aquino
> > Sent: 18 September 2012 03:58
> > To: Tim Hildred
> > Cc: freeipa-users
> > Subject: Re: [Freeipa-users] Password requirements too stringent
> >
> >
> > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote:
> >
> > > JR
> > >
> > > I had that line. I commented it out. Thank you.
> > >
> > > Now, what do I have to restart?
> >
> > I believe it should take effect in real time, but you may
> > need to test to be sure. If it is still happening, you may
> > need to double check that some other pam cfg doesn't also
> > have it present: $ cd /etc/pam.d/ && grep pam_cracklib *
> >
> > If you have removed it from everything and it is still giving
> > you the same error, then I would try a reboot... perhaps
> > getty needs to reinitialize or something. But I'd try those
> > steps before a reboot!
> >
> > ;)
> >
> > > Tim Hildred, RHCE
> > > Content Author II - Engineering Content Services, Red Hat, Inc.
> > > Brisbane, Australia
> > > Email: thildred at redhat.com <mailto:thildred at redhat.com>
> > > Internal: 8588287
> > > Mobile: +61 4 666 25242 <tel:%2B61%204%20666%2025242>
> > > IRC: thildred
> > >
> > > ----- Original Message -----
> > >> From: "JR Aquino" <JR.Aquino at citrix.com
> <mailto:JR.Aquino at citrix.com>>
> > >> To: "Tim Hildred" <thildred at redhat.com
> <mailto:thildred at redhat.com>>
> > >> Cc: "freeipa-users" <freeipa-users at redhat.com
> <mailto:freeipa-users at redhat.com>>
> > >> Sent: Tuesday, September 18, 2012 12:37:48 PM
> > >> Subject: Re: [Freeipa-users] Password requirements too stringent
> > >>
> > >> Tim, please check your /etc/pam.d/system-auth with the password
> > >> block. If you see password requisite pam_cracklib.so,
> then
> > >> this is why you are having a problem.
> > >>
> > >> $ man pam_cracklib
> > >>
> > >> It is a local security library for enforcing strong password
> > >> practices from the unix cli.
> > >>
> > >> ProTip:
> > >> If you don't need this, you can remove it from pam If you want to
> > >> work around this, set your password from the IPA webui or via the
> > >> cli: "ipa passwd username"
> > >>
> > >> Hope this info helps!
> > >>
> > >> "Keeping your head in the cloud"
> > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >> JR Aquino
> > >>
> > >> Senior Information Security Specialist, Technical Operations
> > >> T: +1 805 690 3478 <tel:%2B1%20805%20690%203478> | F: +1 805
> 879 3730 <tel:%2B1%20805%20879%203730> | M: +1 805 717 0365
> <tel:%2B1%20805%20717%200365> GIAC
> > >> Certified Incident Handler | GIAC WebApplication
> > Penetration Tester
> > >> JR.Aquino at citrix.com
> <mailto:JR.Aquino at citrix.com><mailto:JR.Aquino at citrix.com
> <mailto:JR.Aquino at citrix.com>>
> > >>
> > >>
> > >> [cid:image002.jpg at 01CD4A37.5451DC00]
> > >>
> > >> Powering mobile workstyles and cloud services
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:
> > >>
> > >> Hey all;
> > >>
> > >> I'm running IPA internally to control access to our cloud
> > >> environment.
> > >>
> > >> I must admit, I do not understand the password
> > requirements. I have
> > >> had them set to the defaults. I read this:
> > >>
> >
> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Lin
> > >> ux/6/html/Identity_Management_Guide/user-pwdpolicy.html
> > >>
> > >> I have the minimum character classes set to 0. When people
> > use SSH to
> > >> change their passwords, they get "Based on a dictionary word" for
> > >> passwords that have nothing to do with dictionary words.
> > >>
> > >> I can't find anywhere in the documentation a break down of
> > what makes
> > >> an unacceptable versus acceptable password.
> > >>
> > >> Can anyone help me figure out what to tell my users? I
> > think people
> > >> would get a lot less frustrated if they knew why
> > "C679V375" was "too
> > >> simple" when the password policy has 0 required classes.
> > >>
> > >> Tim Hildred, RHCE
> > >> Content Author II - Engineering Content Services, Red Hat, Inc.
> > >> Brisbane, Australia
> > >> Email: thildred at redhat.com <mailto:thildred at redhat.com>
> > >> Internal: 8588287
> > >> Mobile: +61 4 666 25242 <tel:%2B61%204%20666%2025242>
> > >> IRC: thildred
> > >>
> > >> ps: funny exchange with user:
> > >> Jul 12 14:12:33 <user1> i feel like im being punked Jul 12
> > 14:12:40
> > >> <user1> it is based on a dictionary word Jul 12 14:12:43
> > <user1> it
> > >> is too short Jul 12 14:12:49 <user1> is does not have
> > enough unique
> > >> letters Jul 12 14:12:51 <user1> etc
> > >>
> > >> _______________________________________________
> > >> Freeipa-users mailing list
> > >> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>
> > >>
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > This message has been checked for viruses and spam by the
> > Virgin Money email scanning system powered by Messagelabs.
> >
>
>
> Northern Rock plc is part of the Virgin Money group of companies.
>
> This e-mail is intended to be confidential to the recipient. If
> you receive a copy in error, please inform the sender and then
> delete this message.
>
> Virgin Money Personal Financial Service Limited is authorised and
> regulated by the Financial Services Authority. Company no. 3072766.
>
> Virgin Money Unit Trust Managers Limited is authorised and
> regulated by the Financial Services Authority. Company no. 3000482.
>
> Virgin Money Cards Limited. Introducer appointed representative
> only of Virgin Money Personal Financial Service Limited. Company
> no. 4232392.
>
> Virgin Money Management Services Limited. Company no. 3072772.
>
> Virgin Money Holdings (UK) Limited. Company no. 3087587.
>
> Each of the above companies is registered in England and Wales and
> has its registered office at Discovery House, Whiting Road,
> Norwich NR4 6EJ.
>
> Northern Rock plc. Authorised and regulated by the Financial
> Services Authority. Registered in England and Wales (Company no.
> 6952311) with its registered office at Northern Rock House,
> Gosforth, Newcastle upon Tyne NE3 4PL.
>
> The above companies use the trading name Virgin Money.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120918/0d5c7487/attachment.htm>
More information about the Freeipa-users
mailing list