On 16/07/2022 11:09, Harald Dunkel via FreeIPA-users wrote:
> I've got a few colleagues running Debian 10 or 11 on a laptop.
> Their accountis managed by FreeIPA in the office. On first-time
> login their laptop iswired to the office lan.
> When they are in home office they have a VPN connection (IPsec,
> wireguardor openvpn) to the office, but since both wlan and VPN are
> usually activatedby Network Manager *after* login time I wonder
> what needs to be done toupdate the login information cached by
> sssd, esp if the user has changed hislogin password in the FreeIPA
> web interface?
> By now I tried
> kinit username sss_cache -E service restart sssd
> This did not help. kinit accepts the new password, of course, but
> it doesn'tupdate the cache, nor do the others.
kinit is a standalone program that doesn't do anything with the
password other than use it to get a TGT from the KDC, so running it
won't updated sssd's cached password.
You need to perform a login via PAM (e.g., have the user lock &
unlock their session, or run 'sudo -k && sudo -l'); sssd will cache
the user's password after it gets a TGT on behalf of the user.
The user experience for this is not ideal (it's something my
orgnaization suffers from as well). My two ideas for how to improve
it are:
* A VPN that connects on boot, using the host's identity
instead of the user (ideally combined with some clever Enterprise
networking solution that puts the client into a separate network
where it can do very little other than reach your KDCs until the
user has authenticated) * Make the KDC service accessible to the
Internet via ms-kkdcp, which is supported by FreeIPA, but I think
you have to make some changes to kdc.conf on the clients as well
-- Sam Morris <
https://robots.org.uk/>PGP: rsa4096/CAAA AA1A CA69
A83A 892B 1855 D20B 4202 5CDA
27B9_______________________________________________FreeIPA-users
mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure Hi All,
We do the following however we don't distinguish "local" networks as
most people work remotely
All users connect via IPSEC using libreswan which starts on boot using
RSA keys
We join the workstation to the realm once the link is up.
All traffic is sent via the IPSEC link. KDCs are only available via
ipsec.
DNS servers are hardcoded freeipa ones and reachable via the internet
and ipsec (otherwise there are issues with DHCP overwriting
resolv.conf)
NFS shares are mediated by freeipa and automounted. (We tried NFS homes
but firefox and chrome hit the local drive too much and it was too much
work to change)
Drives are encrypted with LUKS