[Freeipa-users] Restrict AD users from passwd
Brian Lee
brian_lee1 at jabil.com
Wed Aug 14 13:48:42 UTC 2013
Hi Sumit,
Thanks for the suggestion. I'll have to give this some thought, since we
have 100+ AD servers, this might not be well received by the AD team. If
anyone can think of a better mousetrap than this, let me know.
Thanks,
Brian
On Wed, Aug 14, 2013 at 9:37 AM, Sumit Bose <sbose at redhat.com> wrote:
> On Wed, Aug 14, 2013 at 09:19:17AM -0400, Brian Lee wrote:
> > Hi All,
> >
> > Our current account management policy requires that users change their AD
> > passwords via a special portal, however I've noticed that this can be
> > bypassed by issuing passwd on a Linux system while logged in with AD
> > credentials, thus changing their AD password.
> >
> > Any thoughts on the best way to prevent this action?
> >
> > What I've considered so far is removing the trust in AD, effectively
> > creating a one-way trust, but that would limit functionality for future
> > interoperability.
> >
> > Additionally, we could change the permissions for passwd on each Linux
> > system, but this would be somewhat hackish and also complicated to
> enforce,
> > since we're waiting on Foreman + Puppet to properly be integrated into
> > Katello for our configuration management solution.
> >
> > Any way to restrict this via the FreeIPA UI?
>
> I think the only safe way to achieve this is to block port 464 on the AD
> servers for the Linux hosts. Because basically what passwd is doing here
> via SSSD is to change the Kerberos password. The same can be done with
> the kpasswd command, it does not require any privileges the user only
> needs to know his current password. So even if we add an option to force
> SSSD to reject password changes for users from trusted domains there are
> other ways for users to change the password which cannot be controlled
> by IPA.
>
> Please note that changing the AD password with kpasswd would even work
> without trust.
>
> HTH
>
> bye,
> Sumit
>
> >
> > Thanks,
> > Brian
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130814/8d7a3c6c/attachment.htm>
More information about the Freeipa-users
mailing list