On 16/07/2022 11:09, Harald Dunkel via FreeIPA-users wrote:
I've got a few colleagues running Debian 10 or 11 on a laptop. Their
account
is managed by FreeIPA in the office. On first-time login their laptop is
wired to the office lan.
When they are in home office they have a VPN connection (IPsec, wireguard
or openvpn) to the office, but since both wlan and VPN are usually
activated
by Network Manager *after* login time I wonder what needs to be done to
update the login information cached by sssd, esp if the user has changed
his
login password in the FreeIPA web interface?
By now I tried
kinit username
sss_cache -E
service restart sssd
This did not help. kinit accepts the new password, of course, but it
doesn't
update the cache, nor do the others.
kinit is a standalone program that doesn't do anything with the password
other than use it to get a TGT from the KDC, so running it won't updated
sssd's cached password.
You need to perform a login via PAM (e.g., have the user lock & unlock
their session, or run 'sudo -k && sudo -l'); sssd will cache the user's
password after it gets a TGT on behalf of the user.
The user experience for this is not ideal (it's something my
orgnaization suffers from as well). My two ideas for how to improve it are:
* A VPN that connects on boot, using the host's identity instead
of the user (ideally combined with some clever Enterprise networking
solution that puts the client into a separate network where it can
do very little other than reach your KDCs until the user has
authenticated)
* Make the KDC service accessible to the Internet via ms-kkdcp, which
is supported by FreeIPA, but I think you have to make some changes
to kdc.conf on the clients as well
--
Sam Morris <
https://robots.org.uk/
>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
We do the following however we don't distinguish "local" networks as most people work remotely
We join the workstation to the realm once the link is up.
All traffic is sent via the IPSEC link. KDCs are only available via ipsec.
DNS servers are hardcoded freeipa ones and reachable via the internet and ipsec (otherwise there are issues with DHCP overwriting resolv.conf)
NFS shares are mediated by freeipa and automounted. (We tried NFS homes but firefox and chrome hit the local drive too much and it was too much work to change)