[Freeipa-users] Cmd-line Unprovision & OTP setting for a host

Charlie Derwent shelltoesuperstar at gmail.com
Tue Sep 18 11:34:20 UTC 2012


Hi

I've used "ipa host-disable ${HOST}; ipa host-mod --password=${PASS}
${HOST}" In the past and that seems to work quite well. The ideal for me
would be a situation where the IPA information could persist between
rebuilds.

Cheers,
Charlie
On Tue, Sep 18, 2012 at 12:05 PM, Innes, Duncan <
Duncan.Innes at virginmoney.com> wrote:

> Folks,
>
> Juggling a problem here that perhaps doesn't have a perfect solution.
> I'm looking at systems that get re-provisioned by a
> Satellite/Spacewalk/Installation method.  For full (Free)IPA
> integration, we normally delete the old entry from IPA, create a new one
> from scratch and set the OTP to match what we put in our post-install
> script called by the kickstart file.
>
> Just noticed that I can do the same thing by Unprovisioning the system
> via the WebUI and then setting the OTP.
>
> Is there a way to Unprovision a registered host and set a OTP via the
> command line?  I was looking at 'ipa host-mod --setattr' but not getting
> too far with the Unprovisioning aspect.
>
> Duncan Innes | Linux Architect | Virgin Money | +44 1603 215476 | +44
> 7801 134507 | duncan.innes at virginmoney.com
>
>
>
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com
> > [mailto:freeipa-users-bounces at redhat.com] On Behalf Of JR Aquino
> > Sent: 18 September 2012 03:58
> > To: Tim Hildred
> > Cc: freeipa-users
> > Subject: Re: [Freeipa-users] Password requirements too stringent
> >
> >
> > On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote:
> >
> > > JR
> > >
> > > I had that line. I commented it out. Thank you.
> > >
> > > Now, what do I have to restart?
> >
> > I believe it should take effect in real time, but you may
> > need to test to be sure.  If it is still happening, you may
> > need to double check that some other pam cfg doesn't also
> > have it present: $ cd /etc/pam.d/ && grep pam_cracklib *
> >
> > If you have removed it from everything and it is still giving
> > you the same error, then I would try a reboot... perhaps
> > getty needs to reinitialize or something.  But I'd try those
> > steps before a reboot!
> >
> > ;)
> >
> > > Tim Hildred, RHCE
> > > Content Author II - Engineering Content Services, Red Hat, Inc.
> > > Brisbane, Australia
> > > Email: thildred at redhat.com
> > > Internal: 8588287
> > > Mobile: +61 4 666 25242
> > > IRC: thildred
> > >
> > > ----- Original Message -----
> > >> From: "JR Aquino" <JR.Aquino at citrix.com>
> > >> To: "Tim Hildred" <thildred at redhat.com>
> > >> Cc: "freeipa-users" <freeipa-users at redhat.com>
> > >> Sent: Tuesday, September 18, 2012 12:37:48 PM
> > >> Subject: Re: [Freeipa-users] Password requirements too stringent
> > >>
> > >> Tim, please check your /etc/pam.d/system-auth with the password
> > >> block.  If you see password    requisite     pam_cracklib.so, then
> > >> this is why you are having a problem.
> > >>
> > >> $ man pam_cracklib
> > >>
> > >> It is a local security library for enforcing strong password
> > >> practices from the unix cli.
> > >>
> > >> ProTip:
> > >> If you don't need this, you can remove it from pam If you want to
> > >> work around this, set your password from the IPA webui or via the
> > >> cli: "ipa passwd username"
> > >>
> > >> Hope this info helps!
> > >>
> > >> "Keeping your head in the cloud"
> > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >> JR Aquino
> > >>
> > >> Senior Information Security Specialist, Technical Operations
> > >> T: +1 805 690 3478 | F: +1 805 879 3730 | M: +1 805 717 0365 GIAC
> > >> Certified Incident Handler | GIAC WebApplication
> > Penetration Tester
> > >> JR.Aquino at citrix.com<mailto:JR.Aquino at citrix.com>
> > >>
> > >>
> > >> [cid:image002.jpg at 01CD4A37.5451DC00]
> > >>
> > >> Powering mobile workstyles and cloud services
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> On Sep 17, 2012, at 6:25 PM, Tim Hildred wrote:
> > >>
> > >> Hey all;
> > >>
> > >> I'm running IPA internally to control access to our cloud
> > >> environment.
> > >>
> > >> I must admit, I do not understand the password
> > requirements. I have
> > >> had them set to the defaults. I read this:
> > >>
> > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Lin
> > >> ux/6/html/Identity_Management_Guide/user-pwdpolicy.html
> > >>
> > >> I have the minimum character classes set to 0. When people
> > use SSH to
> > >> change their passwords, they get "Based on a dictionary word" for
> > >> passwords that have nothing to do with dictionary words.
> > >>
> > >> I can't find anywhere in the documentation a break down of
> > what makes
> > >> an unacceptable versus acceptable password.
> > >>
> > >> Can anyone help me figure out what to tell my users? I
> > think people
> > >> would get a lot less frustrated if they knew why
> > "C679V375" was "too
> > >> simple" when the password policy has 0 required classes.
> > >>
> > >> Tim Hildred, RHCE
> > >> Content Author II - Engineering Content Services, Red Hat, Inc.
> > >> Brisbane, Australia
> > >> Email: thildred at redhat.com
> > >> Internal: 8588287
> > >> Mobile: +61 4 666 25242
> > >> IRC: thildred
> > >>
> > >> ps: funny exchange with user:
> > >> Jul 12 14:12:33 <user1> i feel like im being punked Jul 12
> > 14:12:40
> > >> <user1> it is based on a dictionary word Jul 12 14:12:43
> > <user1> it
> > >> is too short Jul 12 14:12:49 <user1> is does not have
> > enough unique
> > >> letters Jul 12 14:12:51 <user1> etc
> > >>
> > >> _______________________________________________
> > >> Freeipa-users mailing list
> > >> Freeipa-users at redhat.com
> > >> https://www.redhat.com/mailman/listinfo/freeipa-users
> > >>
> > >>
> >
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > This message has been checked for viruses and spam by the
> > Virgin Money email scanning system powered by Messagelabs.
> >
>
>
> Northern Rock plc is part of the Virgin Money group of companies.
>
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete this
> message.
>
> Virgin Money Personal Financial Service Limited is authorised and
> regulated by the Financial Services Authority. Company no. 3072766.
>
> Virgin Money Unit Trust Managers Limited is authorised and regulated by
> the Financial Services Authority. Company no. 3000482.
>
> Virgin Money Cards Limited. Introducer appointed representative only of
> Virgin Money Personal Financial Service Limited. Company no. 4232392.
>
> Virgin Money Management Services Limited. Company no. 3072772.
>
> Virgin Money Holdings (UK) Limited. Company no. 3087587.
>
> Each of the above companies is registered in England and Wales and has its
> registered office at Discovery House, Whiting Road, Norwich NR4 6EJ.
>
> Northern Rock plc. Authorised and regulated by the Financial Services
> Authority. Registered in England and Wales (Company no. 6952311) with its
> registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3
> 4PL.
>
> The above companies use the trading name Virgin Money.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120918/fea0af0c/attachment.htm>


More information about the Freeipa-users mailing list