On Tue, Oct 06, 2009 at 11:33:02AM -0700, Gary Verhulp wrote:
> Thanks for the response.
> I have the NIS config on the client setup correctly I believe.
> This client was moved from my current NIS domain and works fine.
> 
> It's not that the client does not bind to the new FreeIPA NIS domain, 
> but rather there is no passwd hash  in the output of ypcat -k passwd so 
> it has no way to auth.
> 
> ga...@fell:/var/log$ ypcat -k passwd
> ttest ttest:*:1102:1002:Tim  Test:/home/ttest:/bin/bash

The plugin's default configuration has it search for a "crypt" style
value in the userPassword attribute for that entry, which is what a
client would understand.  (Specifically, it looks for an entry that
begins with the magic value "{CRYPT}", strips that off of the front, and
puts the rest into that field.  Failing that, it uses "*".)

If you use ldapsearch to search for ttest's entry as the directory
administrator, do you see values of the form "{CRYPT}xxxxxxxxxxxxx" for
the entry's "userPassword" attribute?

If they're base64-encoded (marked by two ':' characters instead of one
between the attribute name and value in the LDIF output), you may need
to pipe the value through "openssl base64 -d" or something similar.

Nalin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to