[gentoo-user] Easily coping with a domain password

[gentoo-user] Easily coping with a domain password

[Alan McKinnon]

Hi,

Some weeks go well, some don't. For me, this one isn't.

The AD at work was moaning that I needed to change the password, which I duly 
did under protest. Then all hell broke loose. 30 seconds later the account 
was locked. 

That turned out to be kontact checking Exchange once a minute when I thought I 
had unset auto checks. Phoned IT, got the account unlocked. And it happened 
again, this time kwallet had cached something. Fixed by manually going 
through everything in kwallet, changing all old passwords I found. And I got 
locked out a third time, which appears to be due to ldap lookups (more than 
one). $DEITY only knows where these are coming from, I've been doing some 
experimenting lately....

IT are getting a wee bit upset with me, and this happens regularly once a 
month but today was especially bad. Methinks I should consolidate all the 
many apps and URLs that auth against the domain. And I'm wondering how best 
to do this as I'm clueless about it actually - I normally avoid MS stuff like 
the plague.

Should I be looking into winbind?
Or configure kerberos to join the domain and have all my apps use that?
Some ldap-proxy type setup?

Pointers to howtos and opinions on what's worth the effort are all that I'm 
after today - I can read the details in the man pages myself once I have a 
known direction to follow. If my three ideas above sound stupid, that's 
because they probably are :-)

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Easily coping with a domain password

[Stroller]

On 13 Oct 2008, at 23:21, Alan McKinnon wrote:
> ...
> Should I be looking into winbind?
> Or configure kerberos to join the domain and have all my apps use  
> that?
> Some ldap-proxy type setup?
>
> Pointers to howtos and opinions on what's worth the effort are all  
> that I'm
> after today - I can read the details in the man pages myself once I  
> have a
> known direction to follow. If my three ideas above sound stupid,  
> that's
> because they probably are :-)

I don't think winbind is an answer - I use it myself on an IMAP  
server, allowing the users to use the same password for their email as  
they do for the domain, and I don't immediately see how it could be  
configured to in some way behave in a manner which would alleviate  
your problem.

The solution which seems most obvious to me is to reboot your laptop  
when changing your domain password (or even just log out?), so that  
all these services are no longer running in the background with the  
old password saved. Also, you could perhaps ask your IT department to  
change their security policy to reduce the number of occasions upon  
which you need to inconvenience them; instead of 3 attempts locking  
you out permanently and requiring a manual reset, if they locked you  
out for only 5 minutes you would perhaps have time to realise there's  
a problem and fix it.

IMO any client being denied access with a "bad password" type response  
should STOP AND ASK for a corrected password, rather than persistently  
trying with a user:pass it has been told to be invalid. Is it possible  
your klient apps are somehow misconfigured? If not, perhaps you should  
file upstream bugs.

Stroller.