Doing this is strongly discouraged to the n'th degree. Rather than exposing the password hashes you should try to convert any applications that rely on password hashes to using something that will authenticate with IPA instead (pam, LDAP, gssapi, etc).
rob Jim Kinney via FreeIPA-users wrote: > Ah!! Much appreciated pointer. Will set up a test. Thanks! > > On March 22, 2022 7:29:34 PM EDT, Yehuda Katz <[email protected]> wrote: > > I don't think we created this ourselves, but it isn't too difficult > to create if needed - we use this to expose the password hashes to > radius. Create or look for a "Read User Password" Permission in RBAC > in the web interface or command line. Create a role with that > permission for your service account and assign that role to your > service user. > > - Y > > Sent from a device with a very small keyboard and hyperactive > autocorrect. > > On Tue, Mar 22, 2022, 7:17 PM Jim Kinney via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > I have the system set to use CRYPT-SHA512 as password store > method. For antiquated reasons I need to generate a shadow file > from data stored in freeipa. > I would greatly prefer to not have to use the cn=Directory > Manager and use a different binddn. But it seems only the DM has > the ability to actually retrieve userpasswd. > > The pain point is the password entry. -y file doesn't work - > ldap-bind: Invalid credentials (49). The stored password is > correct and perms are 0600 and in /root. The DM is not in the > kerberos database so I can't use a keytab and -YGSSAPI. The only > method that works is the password entered on the cli. > Ugh. That is unpleasant. > > This needs to run on a systemd timer to autogenerate the shadow > file (and passwd and group files but those are easy) for a few > thousand nodes that can't fail due to a network outage with > freeipa (IdM actually). This is to handle user password changes > and group membership changes in an HPC environment. I can dump > in the passwd with expect. Just wondering if there's a way to > setup a special password hash reading account with a keytab and > not use the Directory Manager and password. > -- > Computers amplify human error > Super computers are really > cool_______________________________________________ > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > -- > Computers amplify human error > Super computers are really cool > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
