We run almost the exact same setup...Which is sufficient, but not as
great as it could be (Basically the password changing issues you've
noted). We've also noticed that a single bad login attempt gets counted
multiple times on the IPA server, so you can get locked accounts quicker
than expected.
There was a guy on the list that had what sounded like a very promising
alternative to this that did some ldap db modifications but I tried so
many times to do it and could never get it to work :( The link is:
https://www.redhat.com/archives/freeipa-users/2016-February/msg00059.html
There is some good information, but I could just never get it to
work...Would love if someone would step-by-step that one a little more
in detail.
Also, as an aside...If you changed your password via FreeIPA gui (Or
from another linux machine) you can update the FileVault password by
issuing a "sudo" command...I usually just do "sudo -l" and then
you're
good. Not sure why, but we found that out over the years.
Also we edit a few other pam files, screensaver (So when you unlock you
get a new ticket) and passwd (I think so you can change from cmd,
although not 100% sure that works)
cat > /etc/pam.d/screensaver << 'EOF'
auth optional pam_krb5.so use_first_pass use_kcminit
default_principal
auth sufficient pam_krb5.so use_first_pass default_principal
auth required pam_opendirectory.so use_first_pass nullok
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel
ruser fail_safe
EOF
cat > /etc/pam.d/passwd << 'EOF'
password sufficient pam_krb5.so
auth required pam_permit.so
account required pam_opendirectory.so
password required pam_opendirectory.so
session required pam_permit.so
EOF
On 06/14/2017 12:02 PM, Jason Sherrill via FreeIPA-users wrote:
Hello All,
I have recently submitted a How/To
<
https://www.freeipa.org/page/HowTo/Setup_FreeIPA_Services_for_Mac_OS_X_10... for
FreeIPA. I'd very much appreciate any feedback or editing on it- I
don't want to link to it without a review. Thanks!
--
*Jason Sherrill*
Deeplocal Inc. <
http://deeplocal.com/>
mobile: 412-636-2073 <tel:%28412%29%20636-2073>
office: 412-362-0201 <tel:%28412%29%20362-0201>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org