On Tue, 2011-09-20 at 09:59 -0400, Dmitri Pal wrote: > 3) After importing users use SSSD in migration mode (special setting in > SSSD config). In this case for any user without kerberos hash who would > log via SSSD the SSSD would connect IPA in a special way and trigger the > Kerberos hash generation.
Migration mode in SSSD is not a client-side configuration. We ask the FreeIPA server whether migration is active. Specifically, the way SSSD behaves is as follows: 1) Try to authenticate with Kerberos. If Kerberos responds that there's no hash for this user, 2) Ask FreeIPA if migration mode is enabled, if it is, 3) Try to bind to FreeIPA LDAP using the same password. If this succeeds, we know that the password is valid 4) Initiate a kerberos password-change to set the kerberos password equal to the LDAP password.
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users