Our current account management policy requires that users change their AD
passwords via a special portal, however I've noticed that this can be
bypassed by issuing passwd on a Linux system while logged in with AD
credentials, thus changing their AD password.
Any thoughts on the best way to prevent this action?
What I've considered so far is removing the trust in AD, effectively
creating a one-way trust, but that would limit functionality for future
Additionally, we could change the permissions for passwd on each Linux
system, but this would be somewhat hackish and also complicated to enforce,
since we're waiting on Foreman + Puppet to properly be integrated into
Katello for our configuration management solution.
Any way to restrict this via the FreeIPA UI?
Freeipa-users mailing list