Re: [Freeipa-users] Account/password expirations

It turns out that this was a permissions issue. Everything works now. Thanks. On Sat, Apr 30, 2016 at 11:26 PM, Prasun Gera wrote: > Ah, this doesn't work on ubuntu (14.04). The command itself works, but > sshd on ubuntu isn't probably compiled with support for this

Re: [Freeipa-users] Account/password expirations

Ah, this doesn't work on ubuntu (14.04). The command itself works, but sshd on ubuntu isn't probably compiled with support for this although I see "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" in sshd_config. I don't think the freeipa/sssd ppas package sshd. Any way to get this working

Re: [Freeipa-users] Account/password expirations

Yep sorry I missed that. You need to put your public keys in IPA. On Apr 29, 2016 3:32 AM, "Jakub Hrozek" wrote: On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote: > > > > Your can still authenticate with SSH keys, but to access any NFS 4 shares > > they will need a

Re: [Freeipa-users] Account/password expirations

On Thu, Apr 28, 2016 at 09:14:48PM -0400, Prasun Gera wrote: > > > > Your can still authenticate with SSH keys, but to access any NFS 4 shares > > they will need a Kerberos ticket, which can be obtained via a 'kinit' after > > logging in. > > > > Then how does the key authentication work if the

Re: [Freeipa-users] Account/password expirations

> > Your can still authenticate with SSH keys, but to access any NFS 4 shares > they will need a Kerberos ticket, which can be obtained via a 'kinit' after > logging in. > Then how does the key authentication work if the .ssh directory on nfs4 is not accessible ? Doesn't the key authentication

Re: [Freeipa-users] Account/password expirations

Your can still authenticate with SSH keys, but to access any NFS 4 shares they will need a Kerberos ticket, which can be obtained via a 'kinit' after logging in. I forget what the default timeout is but they do expire, and at that point access to those shares (by a user or process acting as that

Re: [Freeipa-users] Account/password expirations

> > Moreover, if you login through an SSH key, you don't get a ticket on > login and you can't kinit, so you can't access any network resources > anyway.. > > A bit off topic, but a related question: How does nfsv4 work with ssh keys ? Does it mean that you can't use ssh keys if /home is nfsv4

Re: [Freeipa-users] Account/password expirations

Unfortunately I've been swapping tasks enough that I keep forgetting where I left off here. But I'm pretty sure the problem was that sssd would stop a user who was disabled (as you mention) but not if they were expired, either the account itself with krbPrincipalExpiration or the password with

Re: [Freeipa-users] Account/password expirations

On Thu, Apr 21, 2016 at 01:26:19PM -0400, Steve Huston wrote: > On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek wrote: > > Did you test that this actually fails with id_provider=ipa? I would > > assume the IPA KDC would kick you out and prompt for a new password.. > > If

Re: [Freeipa-users] Account/password expirations

On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek wrote: > Did you test that this actually fails with id_provider=ipa? I would > assume the IPA KDC would kick you out and prompt for a new password.. If you're using a password, yes it kicks back and requires you to change it.

Re: [Freeipa-users] Account/password expirations

On Mon, Apr 18, 2016 at 12:54:48PM -0400, Steve Huston wrote: > Following instructions in > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html > sort-of works to get this done, but I wonder if there's a better way > to do it. My

[Freeipa-users] Account/password expirations

Following instructions in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-pwd-expiry.html sort-of works to get this done, but I wonder if there's a better way to do it. My goal is twofold: when users are created, they will be required to have a