On Sat, 2022-07-16 at 15:03 +0100, Sam Morris via FreeIPA-users wrote: > On 16/07/2022 11:09, Harald Dunkel via FreeIPA-users wrote: > > I've got a few colleagues running Debian 10 or 11 on a laptop. > > Their accountis managed by FreeIPA in the office. On first-time > > login their laptop iswired to the office lan. > > When they are in home office they have a VPN connection (IPsec, > > wireguardor openvpn) to the office, but since both wlan and VPN are > > usually activatedby Network Manager *after* login time I wonder > > what needs to be done toupdate the login information cached by > > sssd, esp if the user has changed hislogin password in the FreeIPA > > web interface? > > By now I tried > > kinit username sss_cache -E service restart sssd > > This did not help. kinit accepts the new password, of course, but > > it doesn'tupdate the cache, nor do the others. > > kinit is a standalone program that doesn't do anything with the > password other than use it to get a TGT from the KDC, so running it > won't updated sssd's cached password. > You need to perform a login via PAM (e.g., have the user lock & > unlock their session, or run 'sudo -k && sudo -l'); sssd will cache > the user's password after it gets a TGT on behalf of the user. > The user experience for this is not ideal (it's something my > orgnaization suffers from as well). My two ideas for how to improve > it are: > * A VPN that connects on boot, using the host's identity > instead of the user (ideally combined with some clever Enterprise > networking solution that puts the client into a separate network > where it can do very little other than reach your KDCs until the > user has authenticated) * Make the KDC service accessible to the > Internet via ms-kkdcp, which is supported by FreeIPA, but I think > you have to make some changes to kdc.conf on the clients as well > -- Sam Morris <https://robots.org.uk/>PGP: rsa4096/CAAA AA1A CA69 > A83A 892B 1855 D20B 4202 5CDA > 27B9_______________________________________________FreeIPA-users > mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure Hi All,
We do the following however we don't distinguish "local" networks as most people work remotely All users connect via IPSEC using libreswan which starts on boot using RSA keys We join the workstation to the realm once the link is up. All traffic is sent via the IPSEC link. KDCs are only available via ipsec. DNS servers are hardcoded freeipa ones and reachable via the internet and ipsec (otherwise there are issues with DHCP overwriting resolv.conf) NFS shares are mediated by freeipa and automounted. (We tried NFS homes but firefox and chrome hit the local drive too much and it was too much work to change) Drives are encrypted with LUKS
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
