Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
Kind regards,
Jelle de Jong
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Jakub, do you have an idea how to make that possible?
On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Currently this is not possible, one problem already is that gdm at login and the Gnome screen lock use the same pam service (gdm-password). So at least for the default RHEL/Fedora desktop pam_sss.so has to detect in what kind of process it is running and send this information besides the PAM service to SSSD. This might be a little bit easier if other screen savers are used but I think a solution should covers the default desktop.
The configurable prompting I'm working on (WIP design page at https://pagure.io/fork/sbose/SSSD/docs/blob/18821451b62f0f3dcc0f5822e5a38736... comments and suggestions welcome) might help a bit, but as said login and screen saver must use different PAM services to make it work.
HTH
bye, Sumit
Jakub, do you have an idea how to make that possible?
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Jakub, do you have an idea how to make that possible?
Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work..
But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release.
Hello everybody,
Thank you all for replying.
On 18/03/2019 20:44, Jakub Hrozek wrote:
On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Jakub, do you have an idea how to make that possible?
Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work..
But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release.
I seem to have mate-screensaver, lightdm and xrdp-sesman.
Will that be enough to hook a custom pam rule together for mate-screensaver?
If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa?
Also for laptop systems in offline
disable_preauth forward_pass
Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
cat /etc/pam.d/mate-screensaver @include common-auth auth optional pam_gnome_keyring.so
cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so # end of pam-auth-update config
sssd 1.16.1-1ubuntu1.1
root@workstation01:~# ls -hal /etc/pam.d/ total 136K drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . drwxr-xr-x 161 root root 12K Mar 19 18:22 .. -rw-r--r-- 1 root root 384 Jan 25 2018 chfn -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd -rw-r--r-- 1 root root 581 Jan 25 2018 chsh -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive -rw-r--r-- 1 root root 606 Nov 16 2017 cron -rw-r--r-- 1 root root 69 Mar 27 2018 cups -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter -rw-r--r-- 1 root root 4,9K Jan 25 2018 login -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver -rw-r--r-- 1 root root 92 Jan 25 2018 newusers -rw-r--r-- 1 root root 520 Apr 4 2018 other -rw-r--r-- 1 root root 92 Jan 25 2018 passwd -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 -rw-r--r-- 1 root root 168 Feb 26 2018 ppp -rw-r--r-- 1 root root 143 Feb 14 2018 runuser -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l -rw-r--r-- 1 root root 84 Nov 8 19:09 samba -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils -rw-r--r-- 1 root root 2,3K Jan 25 2018 su -rw-r--r-- 1 root root 239 Jan 18 2018 sudo -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman
Thank you in advance!
Kind regards,
Jelle de Jong
Community question, as I am trying to think of solutions and can use some advice.
On 19/03/2019 19:16, Jelle de Jong wrote:
On 18/03/2019 20:44, Jakub Hrozek wrote:
On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Jakub, do you have an idea how to make that possible?
Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work..
But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release.
I seem to have mate-screensaver, lightdm and xrdp-sesman.
Will that be enough to hook a custom pam rule together for mate-screensaver?
If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa?
Also for laptop systems in offline
disable_preauth forward_pass
I need 2FA with SAML2 for web applications and 2FA for new logins on the linux workstations, my customer does not want to use 2FA for screenlocks....
How long and what will it take to have sssd have this possibility supported?
I need to have a different policy for screensaver or different technology stack... or different customer...
Would it be possible to have 2FA from IPA turned off for specific ipa clients (desktop workstations) while the ipa user does have OTP configured to be used by Ipsilon to provide 2FA for web application.
Otherwise would an keycloak or privacyidea soluton be possible for the 2FA part with freeipa backend and ipa-client workstations but with freeipa otp turned off and have this part taken over by keycloak or privacyidea, simpleSAMLphp?
It is not clear from the keycloak documentation that if I use federated sssd the 2FA is taken from freeipa or handled by keycloak itself?
https://www.keycloak.org/docs/3.0/server_admin/topics/user-federation/sssd.h...
Thank you in advance!
Kind regards,
Jelle de Jong
Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP.
Here’s the default in password-auth and system-auth for Centos 7
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
This causes local users and users with UID < 1000 to use Unix, otherwise go directly to sss. You can add another line to test for specific services, and force pam_unix, i.e. a single prompt, e.g.
auth [success=2 default=ignore] pam_succeed_if.so service in lightdm:xrdp-sesman. auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
The one that gets messy is x2go, because it uses ssh, and can’t be detected by a service test.
On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello everybody,
Thank you all for replying.
On 18/03/2019 20:44, Jakub Hrozek wrote:
On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Jakub, do you have an idea how to make that possible?
Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work.. But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release.
I seem to have mate-screensaver, lightdm and xrdp-sesman.
Will that be enough to hook a custom pam rule together for mate-screensaver?
If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa?
Also for laptop systems in offline
disable_preauth forward_pass
Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
cat /etc/pam.d/mate-screensaver @include common-auth auth optional pam_gnome_keyring.so
cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so # end of pam-auth-update config
sssd 1.16.1-1ubuntu1.1
root@workstation01:~# ls -hal /etc/pam.d/ total 136K drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . drwxr-xr-x 161 root root 12K Mar 19 18:22 .. -rw-r--r-- 1 root root 384 Jan 25 2018 chfn -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd -rw-r--r-- 1 root root 581 Jan 25 2018 chsh -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive -rw-r--r-- 1 root root 606 Nov 16 2017 cron -rw-r--r-- 1 root root 69 Mar 27 2018 cups -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter -rw-r--r-- 1 root root 4,9K Jan 25 2018 login -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver -rw-r--r-- 1 root root 92 Jan 25 2018 newusers -rw-r--r-- 1 root root 520 Apr 4 2018 other -rw-r--r-- 1 root root 92 Jan 25 2018 passwd -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 -rw-r--r-- 1 root root 168 Feb 26 2018 ppp -rw-r--r-- 1 root root 143 Feb 14 2018 runuser -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l -rw-r--r-- 1 root root 84 Nov 8 19:09 samba -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils -rw-r--r-- 1 root root 2,3K Jan 25 2018 su -rw-r--r-- 1 root root 239 Jan 18 2018 sudo -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman
Thank you in advance!
Kind regards,
Jelle de Jong _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thank you Charles,
I do not have local user accounts, will pam_unix use then? I thought it has to go through sss.so? I will give it a try!
Kind regards,
Jelle de Jong
On 26/03/2019 18:04, Charles Hedrick via FreeIPA-users wrote:
Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP.
Here’s the default in password-auth and system-auth for Centos 7
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
This causes local users and users with UID < 1000 to use Unix, otherwise go directly to sss. You can add another line to test for specific services, and force pam_unix, i.e. a single prompt, e.g.
auth [success=2 default=ignore] pam_succeed_if.so service in lightdm:xrdp-sesman. auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
The one that gets messy is x2go, because it uses ssh, and can’t be detected by a service test.
On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello everybody,
Thank you all for replying.
On 18/03/2019 20:44, Jakub Hrozek wrote:
On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Jakub, do you have an idea how to make that possible?
Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work.. But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release.
I seem to have mate-screensaver, lightdm and xrdp-sesman.
Will that be enough to hook a custom pam rule together for mate-screensaver?
If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa?
Also for laptop systems in offline
disable_preauth forward_pass
Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
cat /etc/pam.d/mate-screensaver @include common-auth auth optional pam_gnome_keyring.so
cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so # end of pam-auth-update config
sssd 1.16.1-1ubuntu1.1
root@workstation01:~# ls -hal /etc/pam.d/ total 136K drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . drwxr-xr-x 161 root root 12K Mar 19 18:22 .. -rw-r--r-- 1 root root 384 Jan 25 2018 chfn -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd -rw-r--r-- 1 root root 581 Jan 25 2018 chsh -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive -rw-r--r-- 1 root root 606 Nov 16 2017 cron -rw-r--r-- 1 root root 69 Mar 27 2018 cups -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter -rw-r--r-- 1 root root 4,9K Jan 25 2018 login -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver -rw-r--r-- 1 root root 92 Jan 25 2018 newusers -rw-r--r-- 1 root root 520 Apr 4 2018 other -rw-r--r-- 1 root root 92 Jan 25 2018 passwd -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 -rw-r--r-- 1 root root 168 Feb 26 2018 ppp -rw-r--r-- 1 root root 143 Feb 14 2018 runuser -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l -rw-r--r-- 1 root root 84 Nov 8 19:09 samba -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils -rw-r--r-- 1 root root 2,3K Jan 25 2018 su -rw-r--r-- 1 root root 239 Jan 18 2018 sudo -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman
Thank you in advance!
Kind regards,
Jelle de Jong _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello everybody,
I tried the bellow configuration, but I can still only authorize with pass+otp.
I assume pam_unix.so only works for local users? I only have sssd freeipa users. Is there a way to tell pam_sss.so to only use the password if --user-auth-type=otp is set?
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_succeed_if.so service in mate-screensaver:lightdm:xrdp-sesman auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so
Mar 29 13:19:01 workstation01 mate-screensaver-dialog: pam_succeed_if(mate-screensaver:auth): requirement "service in mate-screensaver:lightdm:xrdp-sesman" was met by user "jdejong" Mar 29 13:19:49 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong Mar 29 13:19:50 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong
Kind regards,
Jelle de Jong
On 26/03/2019 18:04, Charles Hedrick via FreeIPA-users wrote:
Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP.
Here’s the default in password-auth and system-auth for Centos 7
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
This causes local users and users with UID < 1000 to use Unix, otherwise go directly to sss. You can add another line to test for specific services, and force pam_unix, i.e. a single prompt, e.g.
auth [success=2 default=ignore] pam_succeed_if.so service in lightdm:xrdp-sesman. auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass
The one that gets messy is x2go, because it uses ssh, and can’t be detected by a service test.
On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello everybody,
Thank you all for replying.
On 18/03/2019 20:44, Jakub Hrozek wrote:
On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Jakub, do you have an idea how to make that possible?
Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work.. But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release.
I seem to have mate-screensaver, lightdm and xrdp-sesman.
Will that be enough to hook a custom pam rule together for mate-screensaver?
If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa?
Also for laptop systems in offline
disable_preauth forward_pass
Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
cat /etc/pam.d/mate-screensaver @include common-auth auth optional pam_gnome_keyring.so
cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so # end of pam-auth-update config
sssd 1.16.1-1ubuntu1.1
root@workstation01:~# ls -hal /etc/pam.d/ total 136K drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . drwxr-xr-x 161 root root 12K Mar 19 18:22 .. -rw-r--r-- 1 root root 384 Jan 25 2018 chfn -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd -rw-r--r-- 1 root root 581 Jan 25 2018 chsh -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive -rw-r--r-- 1 root root 606 Nov 16 2017 cron -rw-r--r-- 1 root root 69 Mar 27 2018 cups -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter -rw-r--r-- 1 root root 4,9K Jan 25 2018 login -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver -rw-r--r-- 1 root root 92 Jan 25 2018 newusers -rw-r--r-- 1 root root 520 Apr 4 2018 other -rw-r--r-- 1 root root 92 Jan 25 2018 passwd -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 -rw-r--r-- 1 root root 168 Feb 26 2018 ppp -rw-r--r-- 1 root root 143 Feb 14 2018 runuser -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l -rw-r--r-- 1 root root 84 Nov 8 19:09 samba -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils -rw-r--r-- 1 root root 2,3K Jan 25 2018 su -rw-r--r-- 1 root root 239 Jan 18 2018 sudo -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman
Thank you in advance!
Kind regards,
Jelle de Jong _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
The purpose of suggesting pam_unix was to get a single prompt. I didn’t expect pam_unix to actually authenticate your users.
I thought you had an issue with OTPs. In the newest RH/Centos, the normal pam file will prompt separately for password and OTP token. THat’s fine its ssh, but many web apps don’t have the ability to prompt separately, and thus will fail.
If you set up pam to use pam_unix all the time you’ll get a single prompt, which will expect password and OTP key to be on the same line. That will work with web apps. Obviously pam_unix won’t understand those password, but it will sad the password on the stack, and pam_sss will use it.
On Mar 29, 2019, at 8:28 AM, Jelle de Jong via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello everybody,
I tried the bellow configuration, but I can still only authorize with pass+otp.
I assume pam_unix.so only works for local users? I only have sssd freeipa users. Is there a way to tell pam_sss.so to only use the password if --user-auth-type=otp is set?
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_succeed_if.so service in mate-screensaver:lightdm:xrdp-sesman auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so
Mar 29 13:19:01 workstation01 mate-screensaver-dialog: pam_succeed_if(mate-screensaver:auth): requirement "service in mate-screensaver:lightdm:xrdp-sesman" was met by user "jdejong" Mar 29 13:19:49 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong Mar 29 13:19:50 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong
Kind regards,
Jelle de Jong
On 26/03/2019 18:04, Charles Hedrick via FreeIPA-users wrote:
Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things like RDP will work with OTP. Here’s the default in password-auth and system-auth for Centos 7 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass This causes local users and users with UID < 1000 to use Unix, otherwise go directly to sss. You can add another line to test for specific services, and force pam_unix, i.e. a single prompt, e.g. auth [success=2 default=ignore] pam_succeed_if.so service in lightdm:xrdp-sesman. auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass The one that gets messy is x2go, because it uses ssh, and can’t be detected by a service test.
On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello everybody,
Thank you all for replying.
On 18/03/2019 20:44, Jakub Hrozek wrote:
On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the password.
When a user logs out and back in then it needs to use the password+otp again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Jakub, do you have an idea how to make that possible?
Currently I can't think of anything clean either. Is the lock screen and the login manager the same PAM service? If they are different, maybe some hack like letting pam_unix to always read the password and then just pass it on to pam_sss would work.. But I know Sumit is working on improving the 2FA prompting lately, so maybe this will be improved in the upcoming release.
I seem to have mate-screensaver, lightdm and xrdp-sesman.
Will that be enough to hook a custom pam rule together for mate-screensaver?
If not is it possible to disable OTP for all the destkop systems in sssd.conf? and have it still working for all other systems with --user-auth-type=otp as only enabled option in freeipa?
Also for laptop systems in offline
disable_preauth forward_pass
Mar 19 18:54:50 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:54:51 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021 euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth): authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
cat /etc/pam.d/mate-screensaver @include common-auth auth optional pam_gnome_keyring.so
cat /etc/pam.d/common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) auth optional pam_ecryptfs.so unwrap auth optional pam_cap.so # end of pam-auth-update config
sssd 1.16.1-1ubuntu1.1
root@workstation01:~# ls -hal /etc/pam.d/ total 136K drwxr-xr-x 2 root root 4,0K Mar 15 11:35 . drwxr-xr-x 161 root root 12K Mar 19 18:22 .. -rw-r--r-- 1 root root 384 Jan 25 2018 chfn -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd -rw-r--r-- 1 root root 581 Jan 25 2018 chsh -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive -rw-r--r-- 1 root root 606 Nov 16 2017 cron -rw-r--r-- 1 root root 69 Mar 27 2018 cups -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter -rw-r--r-- 1 root root 4,9K Jan 25 2018 login -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver -rw-r--r-- 1 root root 92 Jan 25 2018 newusers -rw-r--r-- 1 root root 520 Apr 4 2018 other -rw-r--r-- 1 root root 92 Jan 25 2018 passwd -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1 -rw-r--r-- 1 root root 168 Feb 26 2018 ppp -rw-r--r-- 1 root root 143 Feb 14 2018 runuser -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l -rw-r--r-- 1 root root 84 Nov 8 19:09 samba -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils -rw-r--r-- 1 root root 2,3K Jan 25 2018 su -rw-r--r-- 1 root root 239 Jan 18 2018 sudo -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman
Thank you in advance!
Kind regards,
Jelle de Jong _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org