On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
> Did you test that this actually fails with id_provider=ipa? I would
> assume the IPA KDC would kick you out and prompt for a new password..

If you're using a password, yes it kicks back and requires you to
change it.  The problem is if you're not using a password to
authenticate, but instead using an SSH key, then it appears there's no
hooks to check with IPA if the password (or the principal itself) is
expired and the user is allowed to continue to login.  The
"recommended" way to do this in RHEL6 is to set access_provider to
ldap in sssd, but that doesn't seem to cover all cases and doesn't
play well with other IPA things (like HBAC) from what I can tell.

Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to