I lost that argument. Certain account jobs must run, no exceptions. Working to
just put those accounts hard coded in local files and have human launched jobs
rely on sssd cache from idm. No one else has used it before and so it's an
unknown thing. There's actually no application that actually uses password
logins. Access is all authenticated with ssh keys.
sigh
On March 22, 2022 10:21:38 PM EDT, Rob Crittenden <[email protected]> wrote:
>Doing this is strongly discouraged to the n'th degree. Rather than
>exposing the password hashes you should try to convert any applications
>that rely on password hashes to using something that will authenticate
>with IPA instead (pam, LDAP, gssapi, etc).
>
>rob
>
>Jim Kinney via FreeIPA-users wrote:
>> Ah!! Much appreciated pointer. Will set up a test. Thanks!
>>
>> On March 22, 2022 7:29:34 PM EDT, Yehuda Katz <[email protected]>
>wrote:
>>
>> I don't think we created this ourselves, but it isn't too
>difficult
>> to create if needed - we use this to expose the password hashes
>to
>> radius. Create or look for a "Read User Password" Permission in
>RBAC
>> in the web interface or command line. Create a role with that
>> permission for your service account and assign that role to your
>> service user.
>>
>> - Y
>>
>> Sent from a device with a very small keyboard and hyperactive
>> autocorrect.
>>
>> On Tue, Mar 22, 2022, 7:17 PM Jim Kinney via FreeIPA-users
>> <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> I have the system set to use CRYPT-SHA512 as password store
>> method. For antiquated reasons I need to generate a shadow
>file
>> from data stored in freeipa.
>> I would greatly prefer to not have to use the cn=Directory
>> Manager and use a different binddn. But it seems only the DM
>has
>> the ability to actually retrieve userpasswd.
>>
>> The pain point is the password entry. -y file doesn't work -
>> ldap-bind: Invalid credentials (49). The stored password is
>> correct and perms are 0600 and in /root. The DM is not in the
>> kerberos database so I can't use a keytab and -YGSSAPI. The
>only
>> method that works is the password entered on the cli.
>> Ugh. That is unpleasant.
>>
>> This needs to run on a systemd timer to autogenerate the
>shadow
>> file (and passwd and group files but those are easy) for a
>few
>> thousand nodes that can't fail due to a network outage with
>> freeipa (IdM actually). This is to handle user password
>changes
>> and group membership changes in an HPC environment. I can
>dump
>> in the passwd with expect. Just wondering if there's a way to
>> setup a special password hash reading account with a keytab
>and
>> not use the Directory Manager and password.
>> --
>> Computers amplify human error
>> Super computers are really
>> cool_______________________________________________
>> FreeIPA-users mailing list --
>> [email protected]
>> <mailto:[email protected]>
>> To unsubscribe send an email to
>> [email protected]
>> <mailto:[email protected]>
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
>https://lists.fedorahosted.org/archives/list/[email protected]
>> Do not reply to spam on the list, report it:
>> https://pagure.io/fedora-infrastructure
>>
>>
>> --
>> Computers amplify human error
>> Super computers are really cool
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
>> To unsubscribe send an email to
>[email protected]
>> Fedora Code of Conduct:
>https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>https://lists.fedorahosted.org/archives/list/[email protected]
>> Do not reply to spam on the list, report it:
>https://pagure.io/fedora-infrastructure
>>
--
Computers amplify human error
Super computers are really cool
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
