On 2022-07-16 16:03:15, Sam Morris via FreeIPA-users wrote:
The user experience for this is not ideal (it's something my
orgnaization suffers from as well). My two ideas for how to improve it are:
* A VPN that connects on boot, using the host's identity instead
of the user (ideally combined with some clever Enterprise networking
solution that puts the client into a separate network where it can
do very little other than reach your KDCs until the user has
authenticated)
* Make the KDC service accessible to the Internet via ms-kkdcp, which
is supported by FreeIPA, but I think you have to make some changes
to kdc.conf on the clients as well
I found a workaround using xscreensaver:
* establish the VPN connection to the office network, including the
FreeIPA server
* use xscreensaver-demo to lock the screen now
* unlock the screensaver using the new password. This seems to
update the local cached entry as well.
* use seahorse to change the passphrase of your login keyring
accordingly
Worked for me.
Regards
Harri