[Freeipa-users] Re: migrating NIS passwords to FreeIPA in Fedora 33 with {CRYPT} and RH sample nis-users.sh script

Wed, 03 Feb 2021 08:55:35 -0800 

Robert Kudyba via FreeIPA-users wrote:
> Running FreeIPS 4.8.10-6,  5.10.10-200.fc33.x86_64
> 
> I'm using the nis-users.sh script
> from 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating-from-nis
> 
> First note that the part (inside 'Now create this entry') that
> has --gecos='$gecos' actually inserts$gecos into the FreeIPA record.
> Also a simple fix to insert a first and last name would be:
> first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}')
> last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}')
> 
> and adding in the "Now create this entry section":
> --first=$first --last=$last
> 
> I'm trying to migrate the passwords from NIS so that they are merged in
> the /etc/passwd file. (this is a test server). I followed Rob C's
> previous tips from here
> <https://freeipa-users.redhat.narkive.com/vTJsopZ5/problem-migrating-passwords-fro-nis-to-idm#post10>
>  and here
> <https://www.redhat.com/archives/freeipa-users/2013-April/msg00058.html>. 
> 
> Not sure it matters but in  /etc/libuser.conf, crypt_style = sha512
> 
> In the script I added:
> password1=$(echo $line | cut -f2 -d:)
> and in the Now create this entry section:
> --setattr "userpassword='{CRYPT}$password1'"
>  
> Here's what gets logged when debug is turned on:
> [Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365]
> [remote x.x.x.x:59726 <http://150.108.64.156:59726/>] ipa: INFO:
> [jsonserver_session] [email protected]
> <mailto:[email protected]>: user_add/1('john',
> givenname='John', sn='Smith', homedirectory='/home/smith', gecos="'John
> Smith'", loginshell='/bin/tcsh', uidnumber=5319, gidnumber=150,
> setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",),
> version='2.239'): SUCCESS
> 
> So does that appear that {CRYPT} is not being interpreted? I also added
> some debug:
> echo "Password hash value is $password1"
> 
> And what prints is the original hash, sans {CRYPT}.
> 
> So to test this outside of the script I added a test user:
> ipa user-add --first=test --last=user --setattr userpassword='{CRYPT}
> the-actual-hash-of-the-password' testuser
> 
> Then I ran the following and the password worked:
> ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W
> 
> # testuser, users, accounts, ourdomain.edu <http://olddsm.dsm.fordham.edu/>
> dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu
> givenName: test
> sn: user
> uid: testuser
> cn: test user
> displayName: test user
> initials: tu
> gecos: test user
> krbPrincipalName: [email protected]
> <mailto:[email protected]>
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: fasuser
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> loginShell: /bin/sh
> homeDirectory: /home/testuser
> mail: [email protected] <mailto:[email protected]>
> krbCanonicalName: [email protected]
> <mailto:[email protected]>
> ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0
> uidNumber: 1520800007
> gidNumber: 1520800007
> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu
> krbLastPwdChange: 20210203034524Z
> krbPasswordExpiration: 20210504034524Z
> 
> # testuser, groups, accounts, ourdomain.edu <http://olddsm.dsm.fordham.edu/>
> dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu
> objectClass: posixgroup
> objectClass: ipaobject
> objectClass: mepManagedEntry
> objectClass: top
> cn: testuser
> gidNumber: 1520800007
> description: User private group for testuser
> mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc
>  =edu
> ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0
> 
> # search result
> search: 2
> result: 0 Success
> 
> Is it still possible to do this in the current versions?

I think the problem is your double-quoting around the setattr value.
Drop that and it works for me.

I'm not entirely sure how that is messing things up in the API but yeah
it looks like it isn't seeing the {CRYPT} and encoding the whole thing
as a raw password (probably including the {CRYPT}).

rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to