FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 10-13-2008, 10:21 PM
Alan McKinnon
 
Default Easily coping with a domain password

Hi,

Some weeks go well, some don't. For me, this one isn't.

The AD at work was moaning that I needed to change the password, which I duly
did under protest. Then all hell broke loose. 30 seconds later the account
was locked.

That turned out to be kontact checking Exchange once a minute when I thought I
had unset auto checks. Phoned IT, got the account unlocked. And it happened
again, this time kwallet had cached something. Fixed by manually going
through everything in kwallet, changing all old passwords I found. And I got
locked out a third time, which appears to be due to ldap lookups (more than
one). $DEITY only knows where these are coming from, I've been doing some
experimenting lately....

IT are getting a wee bit upset with me, and this happens regularly once a
month but today was especially bad. Methinks I should consolidate all the
many apps and URLs that auth against the domain. And I'm wondering how best
to do this as I'm clueless about it actually - I normally avoid MS stuff like
the plague.

Should I be looking into winbind?
Or configure kerberos to join the domain and have all my apps use that?
Some ldap-proxy type setup?

Pointers to howtos and opinions on what's worth the effort are all that I'm
after today - I can read the details in the man pages myself once I have a
known direction to follow. If my three ideas above sound stupid, that's
because they probably are :-)

--
alan dot mckinnon at gmail dot com
 
Old 10-14-2008, 11:52 AM
Stroller
 
Default Easily coping with a domain password

On 13 Oct 2008, at 23:21, Alan McKinnon wrote:

...
Should I be looking into winbind?
Or configure kerberos to join the domain and have all my apps use
that?

Some ldap-proxy type setup?

Pointers to howtos and opinions on what's worth the effort are all
that I'm
after today - I can read the details in the man pages myself once I
have a
known direction to follow. If my three ideas above sound stupid,
that's

because they probably are :-)


I don't think winbind is an answer - I use it myself on an IMAP
server, allowing the users to use the same password for their email as
they do for the domain, and I don't immediately see how it could be
configured to in some way behave in a manner which would alleviate
your problem.


The solution which seems most obvious to me is to reboot your laptop
when changing your domain password (or even just log out?), so that
all these services are no longer running in the background with the
old password saved. Also, you could perhaps ask your IT department to
change their security policy to reduce the number of occasions upon
which you need to inconvenience them; instead of 3 attempts locking
you out permanently and requiring a manual reset, if they locked you
out for only 5 minutes you would perhaps have time to realise there's
a problem and fix it.


IMO any client being denied access with a "bad password" type response
should STOP AND ASK for a corrected password, rather than persistently
trying with a userass it has been told to be invalid. Is it possible
your klient apps are somehow misconfigured? If not, perhaps you should
file upstream bugs.


Stroller.
 

Thread Tools




All times are GMT. The time now is 08:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org