On 2022-07-16 16:03:15, Sam Morris via FreeIPA-users wrote:
The user experience for this is not ideal (it's something my
orgnaization suffers from as well). My two ideas for how to improve it are:
* A VPN that connects on boot, using the host's identity instead
of the user (ideally combined with some clever Enterprise networking
solution that puts the client into a separate network where it can
do very little other than reach your KDCs until the user has
authenticated)
* Make the KDC service accessible to the Internet via ms-kkdcp, which
is supported by FreeIPA, but I think you have to make some changes
to kdc.conf on the clients as well
I found a workaround using xscreensaver:
* establish the VPN connection to the office network, including the
FreeIPA server
* use xscreensaver-demo to lock the screen now
* unlock the screensaver using the new password. This seems to
update the local cached entry as well.
* use seahorse to change the passphrase of your login keyring
accordingly
Worked for me.
Regards
Harri
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
