On ke, 18 huhti 2018, Rob Brown via FreeIPA-users wrote:
Just thinking outside the box here:
I'm not sure if $ is a "legal" character to use in usernames, but probably
highly unlikely.
What if we could tell passhook to just ignore "usernames" that end in
'$'?
// If UserName is NULL, just return STATUS_SUCCESS
if (UserName == NULL) {
goto exit;
}
// If UserName is computer account, just return STATUS_SUCCESS
if (UserName.back() == '$') {
goto exit;
}
(disclaimer: I don't know c++, just googled to illustrate the idea only.)
'$' sign is only used for machine, domain, and trusted domain object
accounts. Yes, taking that into account for filtering could be a
possibility.
You'd need to file a ticket against
https://pagure.io/passsync or in
bugzilla.
On Wed, Apr 18, 2018 at 5:11 PM, Rob Crittenden <rcritten(a)redhat.com> wrote:
> Rob Brown via FreeIPA-users wrote:
> > I have passsync configured and working just fine, but with one minor
> > annoyance:
> > the passsync.log file is filled with "computer account" password
changes.
> >
> > Example: (first one is a user passwd change, second is computer account.)
> >
> > 04/16/18 09:02:02: Received passhook event. Attempting sync
> > 04/16/18 09:02:02: 1 new entries loaded from data file
> > 04/16/18 09:02:02: Cleared contents of data file
> > 04/16/18 09:02:02: Password list has 1 entries
> > 04/16/18 09:02:02: Attempting to sync password for userA
> > 04/16/18 09:02:02: Searching for (ntuserdomainid=userA)
> > 04/16/18 09:02:02: Password modified for remote entry:
> > uid=userA,cn=users,cn=accounts,dc=domain,dc=com
> > 04/16/18 09:02:02: Removing password change from list
> > 04/16/18 09:02:02: Password list is empty. Waiting for passhook
> event
> > 04/16/18 09:10:50: Received passhook event. Attempting sync
> > 04/16/18 09:10:50: 1 new entries loaded from data file
> > 04/16/18 09:10:50: Cleared contents of data file
> > 04/16/18 09:10:50: Password list has 1 entries
> > 04/16/18 09:10:50: Attempting to sync password for computerA$
> > 04/16/18 09:10:50: Searching for (ntuserdomainid=computerA$)
> > 04/16/18 09:10:50: There are no entries that match: computerA$
> > 04/16/18 09:10:50: Deferring password change for computerA$
> > 04/16/18 09:10:50: Backing off for 2000ms
> > 04/16/18 09:10:52: Backoff time expired. Attempting sync
> > 04/16/18 09:10:52: Password list has 1 entries
> > 04/16/18 09:10:52: Attempting to sync password for computerA$
> > 04/16/18 09:10:52: Searching for (ntuserdomainid=computerA$)
> > 04/16/18 09:10:52: There are no entries that match: computerA$
> > 04/16/18 09:10:52: Deferring password change for computerA$
> > 04/16/18 09:10:52: Backing off for 4000ms
> >
> > ...and so on.
> >
> >
> > Firstly: wondering if that's "normal" to see?
> > Second: Is it possible to configure passync to only look for user
> > password changes and ignore computer accounts? (or at least not log
> > them). I coulda sworn I stumbled across something in the past showing
> > how to configure it that way, but cannot find anything today.
>
> There is no way to do this. Passssync doesn't know what suffix it should
> handle passwords for so there is no way to specify what should be
> included/excluded.
>
> rob
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland