[Freeipa-users] Re: road-warrior laptop vs password change in FreeIPA

Sat, 16 Jul 2022 07:03:46 -0700 

On 16/07/2022 11:09, Harald Dunkel via FreeIPA-users wrote:
I've got a few colleagues running Debian 10 or 11 on a laptop. Their account 
is managed by FreeIPA in the office. On first-time login their laptop is
wired to the office lan.

When they are in home office they have a VPN connection (IPsec, wireguard
or openvpn) to the office, but since both wlan and VPN are usually activated 
by Network Manager *after* login time I wonder what needs to be done to
update the login information cached by sssd, esp if the user has changed his 
login password in the FreeIPA web interface?

By now I tried

     kinit username
     sss_cache -E
     service restart sssd
This did not help. kinit accepts the new password, of course, but it doesn't 
update the cache, nor do the others.
kinit is a standalone program that doesn't do anything with the password other than use it to get a TGT from the KDC, so running it won't updated sssd's cached password.
You need to perform a login via PAM (e.g., have the user lock & unlock their session, or run 'sudo -k && sudo -l'); sssd will cache the user's password after it gets a TGT on behalf of the user.
The user experience for this is not ideal (it's something my orgnaization suffers from as well). My two ideas for how to improve it are: 

 * A VPN that connects on boot, using the host's identity instead
   of the user (ideally combined with some clever Enterprise networking
   solution that puts the client into a separate network where it can
   do very little other than reach your KDCs until the user has
   authenticated)
 * Make the KDC service accessible to the Internet via ms-kkdcp, which
   is supported by FreeIPA, but I think you have to make some changes
   to kdc.conf on the clients as well

--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to