On Аўт, 27 жні 2024, Ranbir via FreeIPA-users wrote:
Hello,
Is it possible to enable the sssd profile feature, "with-faillock", for
local accounts, even root, on a freeipa enrolled AlmaLinux 8 host in a
freeipa domain that's in a trust with AD? What a mouthful.
I can enable "with-faillock", but it appears to enable it for local and
trusted users. Please correct me if I'm wrong.
Did you look into man page faillock.conf(5)?
local_users_only
Only track failed user authentications attempts for local
users in /etc/passwd and ignore centralized (AD, IdM, LDAP,
etc.) users. The faillock(8) command will also no longer
track user failed authentication attempts. Enabling this
option will prevent a double-lockout scenario where a user is
locked out locally and in the centralized mechanism.
You don't need to modify PAM configuration for changing these settings,
as they can be updated independently in /etc/security/faillock.conf
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
