Ah!! Much appreciated pointer. Will set up a test. Thanks!
On March 22, 2022 7:29:34 PM EDT, Yehuda Katz <yeh...@ymkatz.net> wrote:
>I don't think we created this ourselves, but it isn't too difficult to
>create if needed - we use this to expose the password hashes to radius.
>Create or look for a "Read User Password" Permission in RBAC in the web
>interface or command line. Create a role with that permission for your
>service account and assign that role to your service user.
>
>- Y
>
>Sent from a device with a very small keyboard and hyperactive
>autocorrect.
>
>On Tue, Mar 22, 2022, 7:17 PM Jim Kinney via FreeIPA-users <
>freeipa-users@lists.fedorahosted.org> wrote:
>
>> I have the system set to use CRYPT-SHA512 as password store method.
>For
>> antiquated reasons I need to generate a shadow file from data stored
>in
>> freeipa.
>> I would greatly prefer to not have to use the cn=Directory Manager
>and use
>> a different binddn. But it seems only the DM has the ability to
>actually
>> retrieve userpasswd.
>>
>> The pain point is the password entry. -y file doesn't work -
>ldap-bind:
>> Invalid credentials (49). The stored password is correct and perms
>are 0600
>> and in /root. The DM is not in the kerberos database so I can't use a
>> keytab and -YGSSAPI. The only method that works is the password
>entered on
>> the cli.
>> Ugh. That is unpleasant.
>>
>> This needs to run on a systemd timer to autogenerate the shadow file
>(and
>> passwd and group files but those are easy) for a few thousand nodes
>that
>> can't fail due to a network outage with freeipa (IdM actually). This
>is to
>> handle user password changes and group membership changes in an HPC
>> environment. I can dump in the passwd with expect. Just wondering if
>> there's a way to setup a special password hash reading account with a
>> keytab and not use the Directory Manager and password.
>> --
>> Computers amplify human error
>> Super computers are really
>> cool_______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
>https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
--
Computers amplify human error
Super computers are really cool
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
