I do the same thing on most deployments. I usually just assign a large random password to the service account.
Marc Boorshtein CTO, Tremolo Security, Inc. On Dec 11, 2015 12:15 PM, "Redmond, Stacy" <stacy.redm...@blueshieldca.com> wrote: > No, that does not even allow su – unless you add the –s /bin/bash or some > valid shell. I did try a few of these, generally I just put a ! I front of > the password locally, but since these exist in ldap now instead, not sure > that is an option. > > > > *From:* Nicola Canepa [mailto:canep...@mmfg.it] > *Sent:* Thursday, December 10, 2015 11:55 PM > *To:* Redmond, Stacy; freeipa-users@redhat.com > *Subject:* Re: [Freeipa-users] Service Accounts via IPA > > > > ** BSCA security warning: Do not click links or trust the content unless > you expected this email and trust the sender – This email originated > outside of Blue Shield. ** > > Maybe you can use /usr/sbin/nologin as the shell? > > Nicola > > Il 10/12/15 19:24, Redmond, Stacy ha scritto: > > Generally I will lock a service account on linux so that the account > cannot login, but users can sudo su – to that user. As I don’t have access > to the password field in free ipa, what are my options to set this up as a > default for service accounts, or how can I modify individual accounts that > need access to a system, but should not be able to login to the system. > Any help is appreciated. > > > > > > -- > > > > Nicola Canepa > > Tel: +39-0522-399-3474 > > canep...@mmfg.it > > --- > > Il contenuto della presente comunicazione è riservato e destinato > esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da > persona diversa dal destinatario sono proibite la diffusione, la > distribuzione e la copia. Nel caso riceveste la presente per errore, Vi > preghiamo di informarci e di distruggerlo e/o cancellarlo dal Vostro > computer, senza utilizzare i dati contenuti. La presente comunicazione > (comprensiva dei documenti allegati) non avrà valore di proposta contrattuale > e/o accettazione di proposte provenienti dal destinatario, nè rinuncia o > riconoscimento di diritti, debiti e/o crediti, nè sarà impegnativa, qualora > non sia sottoscritto successivo accordo da chi può validamente obbligarci. > Non deriverà alcuna responsabilità precontrattuale a ns. carico, se la > presente non sia seguita da contratto sottoscritto dalle parti. > > > > The content of the above communication is strictly confidential and reserved > solely for the referred addressees. In the event of receipt by persons > different from the addressee, copying, alteration and distribution are > forbidden. If received by mistake we ask you to inform us and to destroy > and/or delete from your computer without using the data herein contained. The > present message (eventual annexes inclusive) shall not be considered a > contractual proposal and/or acceptance of offer from the addressee, nor > waiver recognizance of rights, debts and/or credits, nor shall it be binding > when not executed as a subsequent agreement by persons who could lawfully > represent us. No pre-contractual liability shall apply to us when the present > communication is not followed by any binding agreement between the parties. > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project