Description of problem: Let's have three users: Alice - added to ipa with no password set (ipa user-add alice --first Alice --last Novak) Bob - added to ipa with initial password set (ipa user-add bob --first Bob --last Novak --password) Carol - added to ipa with initial password, then logged in and changed his password (change is enforced on first login) I would like to add these three users using GUI. I have succeeded only with Carol. When I'm trying to add Bob, it looks like he doesn't exist (warning sign in GUI) When I'm trying to add Alice error message "Couldn't connect to skynet.com domain: Program lacks support for encryption type" appears. Shouldn't we be able to add all three users (and enforce setting/changing password upon first login)? And second question: Why do we require Carol's password to be provided during addition using GUI? Two people, Administrator and Carol need to be present during this process (or Administrator needs to know Carol's password;)) Version-Release number of selected component (if applicable): realmd-0.13.3-2.fc19.x86_64
(In reply to comment #0) > When I'm trying to add Bob, it looks like he doesn't exist (warning sign in > GUI) > When I'm trying to add Alice error message "Couldn't connect to skynet.com > domain: Program lacks support for encryption type" appears. Thanks for pointing these out. Fixed these cases in the patch upstream in GNOME bugzilla. > Shouldn't we be able to add all three users (and enforce setting/changing > password upon first login)? Yup. > And second question: > Why do we require Carol's password to be provided during addition using GUI? > Two people, Administrator and Carol need to be present during this process > (or Administrator needs to know Carol's password;)) For two reasons: * Active Directory users can usually add themselves * So that we can verify that the user exists before setting up their account. The gnome-control-center Enterprise Login UI is about users solving their own enterprise login problems, and adding their laptop to a domain as desired. It's not a tool for administrators to use to administer the machine. In some cases the user needs to ask a domain administrator to come over and enter their credentials to give their approval (depending on domain policy). This is a similar workflow used on AD domains with Windows machines.
> The gnome-control-center Enterprise Login UI is about users solving their > own enterprise login problems, and adding their laptop to a domain as > desired. It's not a tool for administrators to use to administer the machine. > > In some cases the user needs to ask a domain administrator to come over and > enter their credentials to give their approval (depending on domain policy). > This is a similar workflow used on AD domains with Windows machines. Is this working also with OTP? I think it would be a nice feature. Like this admins could genrate OTPs for users and wouldn't need to walk to machines.
It doesn't work with OTP, but it does work with automatic enrollment. Perhaps there is a case to be made for OTP. But the main use case here is not for admins. If an admin is intimately involved with the process (ie: is a linux aware admin who cares about joining linux machines to the domain) then they are to use the tools provided for admins, and not gnome-control-center. The gnome-control-center stuff is for a user to be able to solve their own issues, perhaps involving an admin where necessary. Because of this, the gnome-control-center stuff may not make sense for FreeIPA use cases, it's mainly for Active Directory. But since FreeIPA wants to be usable in all the ways and places AD (as far as our integration work) we've made FreeIPA joins possible in gnome-control-center as well.
control-center-3.8.1.5-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/control-center-3.8.1.5-1.fc19
control-center 3.8.1.5 has been pushed to stable Fedora 19: https://admin.fedoraproject.org/updates/FEDORA-2013-7788/control-center-3.8.1.5-1.fc19