Unfortunately I've been swapping tasks enough that I keep forgetting
where I left off here.  But I'm pretty sure the problem was that sssd
would stop a user who was disabled (as you mention) but not if they
were expired, either the account itself with krbPrincipalExpiration or
the password with krbPasswordExpiration.  I know that one does not get
a ticket automatically if using ssh public key authentication, which
is fine, but there's a specific mention in the link I referenced
(https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html)
that basically if you do this, then sssd will consult for password
expiration and warn the user accordingly.  That's what I need to
happen, and would like it to be native IPA-ish calls, rather than LDAP
which is what I need to set it to if I want that functionality (which
then also causes other problems, such as losing HBAC and having to set
a filter I've yet to get right to allow users to login to anything).

So if there's a chance of swinging the vote the other way, I'll keep
beating my drum :D

On Thu, Apr 21, 2016 at 3:37 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Thu, Apr 21, 2016 at 01:26:19PM -0400, Steve Huston wrote:
>> On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
>> > Did you test that this actually fails with id_provider=ipa? I would
>> > assume the IPA KDC would kick you out and prompt for a new password..
>>
>> If you're using a password, yes it kicks back and requires you to
>> change it.  The problem is if you're not using a password to
>> authenticate, but instead using an SSH key, then it appears there's no
>> hooks to check with IPA if the password (or the principal itself) is
>> expired and the user is allowed to continue to login.  The
>> "recommended" way to do this in RHEL6 is to set access_provider to
>> ldap in sssd, but that doesn't seem to cover all cases and doesn't
>> play well with other IPA things (like HBAC) from what I can tell.
>
> Then in my opinion SSSD is behaving correctly there. It wouldn't let in
> a locked user (it would check the nsaccountlock attribute), but I'm not
> sure it would be correct to check krbPasswordExpiration if you're using
> a completely different method to authenticate..
>
> Moreover, if you login through an SSH key, you don't get a ticket on
> login and you can't kinit, so you can't access any network resources
> anyway..
>
> But to be honest, this is something we discussed even among IPA
> developers and we're not in total agreement here either, so maybe others
> will overrule me :)
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



-- 
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
  Princeton University  |    ICBM Address: 40.346344   -74.652242
    345 Lewis Library   |"On my ship, the Rocinante, wheeling through
  Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
    (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to