I lost that argument. Certain account jobs must run, no exceptions. Working to just put
those accounts hard coded in local files and have human launched jobs rely on sssd cache
from idm. No one else has used it before and so it's an unknown thing. There's
actually no application that actually uses password logins. Access is all authenticated
with ssh keys.
sigh
On March 22, 2022 10:21:38 PM EDT, Rob Crittenden <rcritten(a)redhat.com> wrote:
Doing this is strongly discouraged to the n'th degree. Rather
than
exposing the password hashes you should try to convert any applications
that rely on password hashes to using something that will authenticate
with IPA instead (pam, LDAP, gssapi, etc).
rob
Jim Kinney via FreeIPA-users wrote:
> Ah!! Much appreciated pointer. Will set up a test. Thanks!
>
> On March 22, 2022 7:29:34 PM EDT, Yehuda Katz <yehuda(a)ymkatz.net>
wrote:
>
> I don't think we created this ourselves, but it isn't too
difficult
> to create if needed - we use this to expose the password hashes
to
> radius. Create or look for a "Read User Password" Permission in
RBAC
> in the web interface or command line. Create a role with that
> permission for your service account and assign that role to your
> service user.
>
> - Y
>
> Sent from a device with a very small keyboard and hyperactive
> autocorrect.
>
> On Tue, Mar 22, 2022, 7:17 PM Jim Kinney via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> I have the system set to use CRYPT-SHA512 as password store
> method. For antiquated reasons I need to generate a shadow
file
> from data stored in freeipa.
> I would greatly prefer to not have to use the cn=Directory
> Manager and use a different binddn. But it seems only the DM
has
> the ability to actually retrieve userpasswd.
>
> The pain point is the password entry. -y file doesn't work -
> ldap-bind: Invalid credentials (49). The stored password is
> correct and perms are 0600 and in /root. The DM is not in the
> kerberos database so I can't use a keytab and -YGSSAPI. The
only
> method that works is the password entered on the cli.
> Ugh. That is unpleasant.
>
> This needs to run on a systemd timer to autogenerate the
shadow
> file (and passwd and group files but those are easy) for a
few
> thousand nodes that can't fail due to a network outage with
> freeipa (IdM actually). This is to handle user password
changes
> and group membership changes in an HPC environment. I can
dump
> in the passwd with expect. Just wondering if there's a way to
> setup a special password hash reading account with a keytab
and
> not use the Directory Manager and password.
> --
> Computers amplify human error
> Super computers are really
> cool_______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
>
>
> --
> Computers amplify human error
> Super computers are really cool
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>