ITreers UA via FreeIPA-users wrote: > Thank you for the reply. > > As I understood from your reply it's not possible to migrate passwords > without "migration" procedure after the ipa migrate-ds? > During my test migrations from earlier (start of the last month) I have > managed to migrate and login with old passwords after the ipa migrate-ds. > I used docker image "#rocky-9" and until image was updated with the new OS > version or some security updates I don't know I have 2 or 3 successful > attempt of the migration of users with the passwords. I was able to login > using kinit and web. How it possible?
I think you are overusing the word migrate. After migrate-ds the users only have an LDAP password at best. In order to generate Kerberos keys they need to authenticate to LDAP while IPA is still in migration mode (ipa config-mod --enable-migration). Logging into an IPA-enrolled client will do this key generation automatically if IPA is still in migration mode. Or, as Alexander said, there is a web site for this as well. If you turn off the IPA migration then you will need to reset users's passwords so that keys can be generated. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
