On 09/13/2013 12:24 PM, Simo Sorce wrote: > On Thu, 2013-09-12 at 11:23 -0400, sergey ivanov wrote: >> Hi, >> I am looking for deployment of freeIPA in our organization. We have >> kerberos servers used for authentication on our computers and in >> applications, while users are mostly defined in /etc/passwd. >> For migration of user's password I have tried the way we usually do >> replicating password changes from master kerberos server to slaves. I >> did kdb5_util dump on old servers, transferred the dump to machine >> running FreeIPA, and was not able to do kdb5_util load -update, >> because of "Kerberos database constraints violated". Is there a way to >> import into freeIPA kerberos servers dump of kerberos principals, >> dumped by kdb5_util? >> > You could *try* do it *after* you create all users in freeipa, but I > think you'd break something. At the very least you would break plain > text binds as you would not generate the userPassword hash, not sure > what else, and I cannot guarantee it really works all the way. > > Simo. > So the answer is no, not the way you envisioned it. You need to get users from KDC DB. Reformat into and LDIF or just script invocation of the ipa user-add command. You would need to set temp passwords for users. Users would have to change their passwords on the first login.
-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users