On 10/08/2014 09:47 AM, Andreas Ladanyi wrote:

i have the following situation:

OpenLDAP with user entries. No userPassword hashes are available.
MIT Kerberos with principals and password hashes in the KRB DB.

I have migrated the user and group accounts via "ipa migrate-ds ..."

Now, is it possible to get out the kerberos user principal password
hashes from the KRB own DB to the appropriate krbPassword..... IPA LDAP
attribute, so the users could login without any extra user action ?


This will be a highly manual process.
AFAIR it has been done couple times so please search archives 2-3 years ago. Simo was the person who provided the steps.

You would need to not only migrate the hashes by extracting the fields from DB and loading them into LDAP using raw LDAP commands and ldif but also copy over and set the kerberos master key. If you are up to it and dig out the instructions we would really appreciate if you can then put them on a wiki as a solution: http://www.freeipa.org/page/HowTos

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to