No, that does not even allow su – unless you add the –s /bin/bash or some valid 
shell.  I did try a few of these, generally I just put a ! I front of the 
password locally, but since these exist in ldap now instead, not sure that is 
an option.

From: Nicola Canepa [mailto:canep...@mmfg.it]
Sent: Thursday, December 10, 2015 11:55 PM
To: Redmond, Stacy; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Service Accounts via IPA

** BSCA security warning: Do not click links or trust the content unless you 
expected this email and trust the sender – This email originated outside of 
Blue Shield. **
Maybe you can use /usr/sbin/nologin as the shell?

Nicola
Il 10/12/15 19:24, Redmond, Stacy ha scritto:
Generally I will lock a service account on linux so that the account cannot 
login, but users can sudo su – to that user.  As I don’t have access to the 
password field in free ipa, what are my options to set this up as a default for 
service accounts, or how can I modify individual accounts that need access to a 
system, but should not be able to login to the system.  Any help is appreciated.





--



Nicola Canepa

Tel: +39-0522-399-3474

canep...@mmfg.it<mailto:canep...@mmfg.it>

---

Il contenuto della presente comunicazione è riservato e destinato 
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona 
diversa dal destinatario sono proibite la diffusione, la distribuzione e la 
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e 
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati 
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non 
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti 
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti, 
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può 
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a 
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle 
parti.



The content of the above communication is strictly confidential and reserved 
solely for the referred addressees. In the event of receipt by persons 
different from the addressee, copying, alteration and distribution are 
forbidden. If received by mistake we ask you to inform us and to destroy and/or 
delete from your computer without using the data herein contained. The present 
message (eventual annexes inclusive) shall not be considered a contractual 
proposal and/or acceptance of offer from the addressee, nor waiver recognizance 
of rights, debts  and/or credits, nor shall it be binding when not executed as 
a subsequent agreement by persons who could lawfully represent us. No 
pre-contractual liability shall apply to us when the present communication is 
not followed by any binding agreement between the parties.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to