Hello,
I am deploying FreeIPA (RHEL IdM) for a client that wants to use it to replace
NIS. To ensure user convenience we want to migrate user accounts from the NIS
map including (hashed) passwords.
We have followed the FreeIPA guide for migration with
passwords<https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords>
(as well as the Red Hat NIS migration
guide<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating-from-nis#nis-import-users>)
to develop migration scripts that import the required maps.
Everything is working fine, except the importing of hashed passwords. As the
guide specifies, the import script creates a new user by calling the following:
ipa user-add $username --first=NIS --last=USER [...more arguments...] --setattr
userpassword=$password
In this context, $password is the hashed password from the NIS passwd map
(which is hashed with DEScrypt) with the {crypt}-prefix as required by 389-DS,
as below.
encpass=$(echo $line | cut -f2 -d:)
password="{crypt}$encpass"
Subsequently, we try to finalize account migration by accessing the migration
page https://ipa.clientdomain.loc/ipa/migration as well as attempting to
connect to an onboarded host's SSH, but the credentials seem to fail (ergo no
Kerberos hash can be generated).
The ssh auth log throws the below log message, the IPA migration page fails
with an "incorrect username or password" message.
pam_sss(sshd:auth): received for user testvry: 8 (Insufficient
credentials to access authentication data)
We have performed this procedure with test users as well as actual users from
the NIS map to no avail. We have also tried all variants of password quoting,
capitalizing, etc. Do you have any idea what might be going wrong here?
Thanks a lot in advance!
Best regards,
Cas van Cooten
*Disclaimer:*
________________________________
This e-mail message and its attachments are subject to the disclaimer published
at the following website of Deloitte:
http://www2.deloitte.com/nl/nl/legal/Disclaimer.html
Deloitte Risk Advisory B.V is registered with the trade register in The
Netherlands under number 50340158.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK
private company limited by guarantee ("DTTL"), its network of member firms, and
their related entities. DTTL and each of its member firms are legally separate
and independent entities. DTTL (also referred to as "Deloitte Global") does not
provide services to clients. Please see
http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html
for a more detailed description of DTTL and its member firms.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
