Running FreeIPS 4.8.10-6, 5.10.10-200.fc33.x86_64 I'm using the nis-users.sh script from https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating-from-nis
First note that the part (inside 'Now create this entry') that has --gecos='$gecos' actually inserts $gecos into the FreeIPA record. Also a simple fix to insert a first and last name would be: first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}') last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}') and adding in the "Now create this entry section": --first=$first --last=$last I'm trying to migrate the passwords from NIS so that they are merged in the /etc/passwd file. (this is a test server). I followed Rob C's previous tips from here <https://freeipa-users.redhat.narkive.com/vTJsopZ5/problem-migrating-passwords-fro-nis-to-idm#post10> and here <https://www.redhat.com/archives/freeipa-users/2013-April/msg00058.html>. Not sure it matters but in /etc/libuser.conf, crypt_style = sha512 In the script I added: password1=$(echo $line | cut -f2 -d:) and in the Now create this entry section: --setattr "userpassword='{CRYPT}$password1'" Here's what gets logged when debug is turned on: [Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365] [remote x.x.x.x:59726 <http://150.108.64.156:59726/>] ipa: INFO: [jsonserver_session] ad...@ourdomain.edu <ad...@olddsm.dsm.fordham.edu>: user_add/1('john', givenname='John', sn='Smith', homedirectory='/home/smith', gecos="'John Smith'", loginshell='/bin/tcsh', uidnumber=5319, gidnumber=150, setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",), version='2.239'): SUCCESS So does that appear that {CRYPT} is not being interpreted? I also added some debug: echo "Password hash value is $password1" And what prints is the original hash, sans {CRYPT}. So to test this outside of the script I added a test user: ipa user-add --first=test --last=user --setattr userpassword='{CRYPT} the-actual-hash-of-the-password' testuser Then I ran the following and the password worked: ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W # testuser, users, accounts, ourdomain.edu <http://olddsm.dsm.fordham.edu/> dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu givenName: test sn: user uid: testuser cn: test user displayName: test user initials: tu gecos: test user krbPrincipalName: testu...@ourdomain.edu <testu...@olddsm.dsm.fordham.edu> objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: fasuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/sh homeDirectory: /home/testuser mail: testu...@ourdomain.edu <testu...@olddsm.dsm.fordham.edu> krbCanonicalName: testu...@ourdomain.edu <testu...@olddsm.dsm.fordham.edu> ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0 uidNumber: 1520800007 gidNumber: 1520800007 memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu krbLastPwdChange: 20210203034524Z krbPasswordExpiration: 20210504034524Z # testuser, groups, accounts, ourdomain.edu <http://olddsm.dsm.fordham.edu/> dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu objectClass: posixgroup objectClass: ipaobject objectClass: mepManagedEntry objectClass: top cn: testuser gidNumber: 1520800007 description: User private group for testuser mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc =edu ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0 # search result search: 2 result: 0 Success Is it still possible to do this in the current versions? Thanks, Rob
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org