On 06/08/2011 07:48 PM, Steven Jones wrote:
> Hi,
>
> nsswitch atatched.
>
> Which pam files?

The pam configuration files.
On my RHEL6 it is in /etc/pam.d/system-auth which is usually a link to a
file in the same directory.
I think in 5.6 is it similar. I do not have 5.6 machine handy to check.
 
> regards
> ________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Dmitri Pal [d...@redhat.com]
> Sent: Thursday, 9 June 2011 11:32 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/08/2011 06:57 PM, Steven Jones wrote:
>
> Attached are F15 adnd RHEL5.6 conf scripts.
>
>
> You have not attached pam configurations and nsswitch for 5.6.
>
> regards
> ________________________________________
> From: 
> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] 
> on behalf of Steven Jones 
> [steven.jo...@vuw.ac.nz<mailto:steven.jo...@vuw.ac.nz>]
> Sent: Thursday, 9 June 2011 10:31 a.m.
> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> Hi,
>
> These files/clients have all been configured by the ipa-client-install 
> script, so any settings are standard, I have modified nothing.
>
> So when I built all 3 client/workstations I made a default user jonesst1 at 
> build time with password 1 and its the same across all three.
>
> So in the freeipa server I set password2 for jonesst1 which is different so I 
> know that I am getting a centralised login....really basic stuff.
>
> So then using the ipa-client-install script I joined them each in turn to 
> IPA....for F15 and 6.1 clients they now accept the IPA password2 without an 
> issue...for RHEL 5.6 it initially asked to reset the password....and I only 
> had 1 hour......later logins are fine.
>
> So my use case is nothing more than a simple centralised login......
>
> regards
>
> ________________________________________
> From: 
> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] 
> on behalf of Dmitri Pal [d...@redhat.com<mailto:d...@redhat.com>]
> Sent: Thursday, 9 June 2011 8:56 a.m.
> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/08/2011 04:04 PM, Steven Jones wrote:
>
>
> Hi,
>
> Can you fix 5.6 so it runs the ipa-client-install script the same way then 
> please? because running the same command giving differing results seems 
> strange....unless you are telling me its simply the way rhel5.6 will work?
>
>
> Well the problem is that SSSD is not in 5.6 by default. ipa-client on
> 5.6 configures LDAP+Kerberos. In fedora there is SSSD and it is
> configured. In 5.7 there will be a new ipa-client that will act in the
> same way as in RHEL 6 or Fedora.
>
> But the expectation is that they should act in the same way now. But
> apparently there is some difference.
>
> We need to understand exactly what is your use case.
> What is configured in your nsswitch and pam config on RHEL and Fedora?
> And if in one case it is SSSD and not in the other we need to see SSSD
> configuration and LDAP and Kerberos configuration files.
>
>
>
>
> regards
>
> Steven
> ________________________________________
> From: 
> freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> 
> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] 
> on behalf of Dmitri Pal [d...@redhat.com<mailto:d...@redhat.com>]
> Sent: Thursday, 9 June 2011 5:00 a.m.
> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
> Subject: Re: [Freeipa-users] Inconsistant first login behaviour
>
> On 06/07/2011 10:36 PM, Steven Jones wrote:
>
>
> Logging into the F15 client and I just login with the ldap password...
>
> If I try the same thing with RHEL5.6 I get told I have one hour to password 
> expiry....
>
> I'd like it to do one or other across platforms....and be able to set this 
> behaviour, per user....or not at all.
>
>
>
> This is probably because in one case you log using LDAP password and in
> another as Kerberos credential. The underlying password string is the
> same but other properties like expiration are different as you see.
> To have the consistent experience configure both systems to use same
> type of the credential.
>
>
>
>
> regards
>
> Steven
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to