On Sat, 2022-07-16 at 15:03 +0100, Sam Morris via FreeIPA-users wrote:

On 16/07/2022 11:09, Harald Dunkel via FreeIPA-users wrote:

I've got a few colleagues running Debian 10 or 11 on a laptop. Their

account

is managed by FreeIPA in the office. On first-time login their laptop is

wired to the office lan.

When they are in home office they have a VPN connection (IPsec, wireguard

or openvpn) to the office, but since both wlan and VPN are usually

activated

by Network Manager *after* login time I wonder what needs to be done to

update the login information cached by sssd, esp if the user has changed

his

login password in the FreeIPA web interface?

By now I tried

     kinit username

     sss_cache -E

     service restart sssd

This did not help. kinit accepts the new password, of course, but it

doesn't

update the cache, nor do the others.

kinit is a standalone program that doesn't do anything with the password

other than use it to get a TGT from the KDC, so running it won't updated

sssd's cached password.

You need to perform a login via PAM (e.g., have the user lock & unlock

their session, or run 'sudo -k && sudo -l'); sssd will cache the user's

password after it gets a TGT on behalf of the user.

The user experience for this is not ideal (it's something my

orgnaization suffers from as well). My two ideas for how to improve it are:

  * A VPN that connects on boot, using the host's identity instead

    of the user (ideally combined with some clever Enterprise networking

    solution that puts the client into a separate network where it can

    do very little other than reach your KDCs until the user has

    authenticated)

  * Make the KDC service accessible to the Internet via ms-kkdcp, which

    is supported by FreeIPA, but I think you have to make some changes

    to kdc.conf on the clients as well

--

Sam Morris <

https://robots.org.uk/

PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9

_______________________________________________

FreeIPA-users mailing list --

freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to

freeipa-users-leave@lists.fedorahosted.org

Fedora Code of Conduct:

https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines:

https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives:

https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Do not reply to spam on the list, report it:

https://pagure.io/fedora-infrastructure

Hi All,

We do the following however we don't distinguish "local" networks as most people work remotely

All users connect via IPSEC using libreswan which starts on boot using RSA keys

We join the workstation to the realm once the link is up.

All traffic is sent via the IPSEC link. KDCs are only available via ipsec.

DNS servers are hardcoded freeipa ones and reachable via the internet and ipsec (otherwise there are issues with DHCP overwriting resolv.conf)

NFS shares are mediated by freeipa and automounted. (We tried NFS homes but firefox and chrome hit the local drive too much and it was too much work to change)

Drives are encrypted with LUKS