We run almost the exact same setup...Which is sufficient, but not as great as it could be (Basically the password changing issues you've noted). We've also noticed that a single bad login attempt gets counted multiple times on the IPA server, so you can get locked accounts quicker than expected.

There was a guy on the list that had what sounded like a very promising alternative to this that did some ldap db modifications but I tried so many times to do it and could never get it to work :( The link is:


https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html

There is some good information, but I could just never get it to work...Would love if someone would step-by-step that one a little more in detail.

Also, as an aside...If you changed your password via FreeIPA gui (Or from another linux machine) you can update the FileVault password by issuing a "sudo" command...I usually just do "sudo -l" and then you're good. Not sure why, but we found that out over the years.

Also we edit a few other pam files, screensaver (So when you unlock you get a new ticket) and passwd (I think so you can change from cmd, although not 100% sure that works)

cat > /etc/pam.d/screensaver << 'EOF'
auth optional pam_krb5.so use_first_pass use_kcminit default_principal
auth       sufficient     pam_krb5.so use_first_pass default_principal
auth       required       pam_opendirectory.so use_first_pass nullok
account    required       pam_opendirectory.so
account    sufficient     pam_self.so
account    required       pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
EOF

cat > /etc/pam.d/passwd << 'EOF'
password   sufficient     pam_krb5.so
auth       required       pam_permit.so
account    required       pam_opendirectory.so
password   required       pam_opendirectory.so
session    required       pam_permit.so
EOF


On 06/14/2017 12:02 PM, Jason Sherrill via FreeIPA-users wrote:
Hello All,

I have recently submitted a How/To <https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10.12> for FreeIPA. I'd very much appreciate any feedback or editing on it- I don't want to link to it without a review. Thanks!

--

*Jason Sherrill*
Deeplocal Inc. <http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to