Hi, I was able to install el5 ipa-client
Schema: ipa server: centos 6.x client ipa: centos 5.x following this steps: https://www.redhat.com/archives/freeipa-users/2009-January/msg00021.html next challenge: implemente SUDO rule.. On Wed, Aug 14, 2013 at 9:00 AM, <freeipa-users-requ...@redhat.com> wrote: > Send Freeipa-users mailing list submissions to > freeipa-users@redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/freeipa-users > or, via email, send a message with subject or body 'help' to > freeipa-users-requ...@redhat.com > > You can reach the person managing the list at > freeipa-users-ow...@redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeipa-users digest..." > > > Today's Topics: > > 1. Re: Restrict AD users from passwd (Petr Spacek) > 2. Re: Restrict AD users from passwd (Simo Sorce) > 3. Re: Restrict AD users from passwd (Brian Lee) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 14 Aug 2013 15:58:10 +0200 > From: Petr Spacek <pspa...@redhat.com> > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Restrict AD users from passwd > Message-ID: <520b8cf2.6090...@redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 14.8.2013 15:48, Brian Lee wrote: > > Hi Sumit, > > > > Thanks for the suggestion. I'll have to give this some thought, since we > > have 100+ AD servers, this might not be well received by the AD team. If > > anyone can think of a better mousetrap than this, let me know. > > > > Thanks, > > Brian > > > > > > > > > > On Wed, Aug 14, 2013 at 9:37 AM, Sumit Bose <sb...@redhat.com> wrote: > > > >> On Wed, Aug 14, 2013 at 09:19:17AM -0400, Brian Lee wrote: > >>> Hi All, > >>> > >>> Our current account management policy requires that users change their > AD > >>> passwords via a special portal, however I've noticed that this can be > >>> bypassed by issuing passwd on a Linux system while logged in with AD > >>> credentials, thus changing their AD password. > >>> > >>> Any thoughts on the best way to prevent this action? > >>> > >>> What I've considered so far is removing the trust in AD, effectively > >>> creating a one-way trust, but that would limit functionality for future > >>> interoperability. > >>> > >>> Additionally, we could change the permissions for passwd on each Linux > >>> system, but this would be somewhat hackish and also complicated to > >> enforce, > >>> since we're waiting on Foreman + Puppet to properly be integrated into > >>> Katello for our configuration management solution. > >>> > >>> Any way to restrict this via the FreeIPA UI? > >> > >> I think the only safe way to achieve this is to block port 464 on the AD > >> servers for the Linux hosts. Because basically what passwd is doing here > >> via SSSD is to change the Kerberos password. The same can be done with > >> the kpasswd command, it does not require any privileges the user only > >> needs to know his current password. So even if we add an option to force > >> SSSD to reject password changes for users from trusted domains there are > >> other ways for users to change the password which cannot be controlled > >> by IPA. > >> > >> Please note that changing the AD password with kpasswd would even work > >> without trust. > > IMHO the correct approach is to enforce password policy on AD side, > otherwise > users can use standard Kerberos protocol and do the change anyway (i.e. > effectively bypass IPA and your portal completely). > > AFAIK AD has some checkbox which determines if the user is allowed to > change > own password or not. > > The next question is how 'the portal' does the password change and if it > will > continue to work if you disallow users to change own password on AD side. > > -- > Petr^2 Spacek > > > > ------------------------------ > > Message: 2 > Date: Wed, 14 Aug 2013 10:32:01 -0400 > From: Simo Sorce <s...@redhat.com> > To: Brian Lee <brian_l...@jabil.com> > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Restrict AD users from passwd > Message-ID: <1376490721.22218.3.ca...@willson.li.ssimo.org> > Content-Type: text/plain; charset="UTF-8" > > On Wed, 2013-08-14 at 09:48 -0400, Brian Lee wrote: > > Hi Sumit, > > > > > > Thanks for the suggestion. I'll have to give this some thought, since > > we have 100+ AD servers, this might not be well received by the AD > > team. If anyone can think of a better mousetrap than this, let me > > know. > > Do you also block the 'net user' command on Windows clients ? > It's the same as 'passwd' on Linux clients. > > I would address the problem by using proper password policies as I (now) > see Petr recommended i another email. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > > > ------------------------------ > > Message: 3 > Date: Wed, 14 Aug 2013 10:38:15 -0400 > From: Brian Lee <brian_l...@jabil.com> > To: Simo Sorce <s...@redhat.com> > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Restrict AD users from passwd > Message-ID: > <CAO8cXGaeBD=Zjg_2ePANrgPEC+N3cJRXyA= > kugrcvwqkyoo...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > On the AD side, they limit the potential to change the AD password by > deploying a modified the msgina.dll. Otherwise, the user still has the ways > to throw a wrench in the system, we're just doing our best to limit the > opportunity for this action. > > > On Wed, Aug 14, 2013 at 10:32 AM, Simo Sorce <s...@redhat.com> wrote: > > > On Wed, 2013-08-14 at 09:48 -0400, Brian Lee wrote: > > > Hi Sumit, > > > > > > > > > Thanks for the suggestion. I'll have to give this some thought, since > > > we have 100+ AD servers, this might not be well received by the AD > > > team. If anyone can think of a better mousetrap than this, let me > > > know. > > > > Do you also block the 'net user' command on Windows clients ? > > It's the same as 'passwd' on Linux clients. > > > > I would address the problem by using proper password policies as I (now) > > see Petr recommended i another email. > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://www.redhat.com/archives/freeipa-users/attachments/20130814/154e7426/attachment.html > > > > ------------------------------ > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > End of Freeipa-users Digest, Vol 61, Issue 26 > ********************************************* > -- Aissa Brahimi IT Admin - Support ItsOn, Inc. itsoninc.com mobile: 408.858.0304
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
