> On 18 Nov 2014, at 23:23, Roderick Johnstone <r...@ast.cam.ac.uk> wrote: > > On 18/11/2014 22:19, Dmitri Pal wrote: >> On 11/18/2014 12:57 PM, Roderick Johnstone wrote: >>> Hi >>> >>> I'm trying to migrate some nis accounts to RHEL 6 IdM while still >>> keeping the original passwords. >>> >>> I followed the instructions at: >>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords >>> >>> The passwords are in SHA-512 format and I have been testing the >>> migration with commands like this (generated via a script from my nis >>> passwd file) on my IdM server: >>> >>> $ ipa user-add xxx --first=NIS --last=USER --gidnumber=xxxx --uid=xxxx >>> '--gecos=test account' --homedir=/home/xxxx --shell=/bin/bash >>> --setattr userpassword='{SHA-512}xxxxxxx' >>> >>> where the xxxxxxx is the hashed password from the NIS password file >>> with the leading $6$ stripped off. >>> >>> Then I remove nis from the passwd: line in /etc/nsswitch.conf so I'm >>> left with: >>> passwd: files sss >>> >>> and the account that I migrated cannot log in. >>> >>> From the sssd log file (below) it looks like its trying to migrate the >>> password but failing with an LDAP authentication failure. >>> >>> I'd appreciate any pointers to how to find out whats going wrong here. >>> >>> Accounts which I created manually in the web gui are working ok. >>> >>> Thanks >>> >>> Roderick Johnstone >>> >>> Part of sssd log file >>> ===================== >>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] >>> [set_server_common_status] (0x0100): Marking server 'xxx.xxx.xxx.xxx' >>> as 'working' >>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] >>> [fo_set_port_status] (0x0400): Marking port 0 of duplicate server >>> 'xxx.xxx.xxx.xxx' as 'working' >>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] >>> [ipa_migration_flag_connect_done] (0x0400): Assuming Kerberos password >>> is missing, starting password migration. >>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_send] >>> (0x0100): Executing simple bind as: >>> uid=xxx,cn=users,cn=accounts,dc=xxx,dc=xxx,dc=xxx,dc=xxx >>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_done] >>> (0x0400): Bind result: Invalid credentials(49), no errmsg set >>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] >>> [ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password >>> migration not possible. >>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] >>> [be_pam_handler_callback] (0x0100): Backend returned: (0, 8, <NULL>) >>> [Success] >>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] >>> [be_pam_handler_callback] (0x0100): Sending result [8][xxx.xxx.xxx] >>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] >>> [be_pam_handler_callback] (0x0100): Sent result [8][xxx.xxx.xxx] >>> >> >> Did you enable migration mode on the IPA server? >> > > Yes, I ran: > ipa config-mod --enable-migration=true > on the IPA server. > > Roderick
Sorry, I missed this thread involved SSSD logs. Normally, error 49 (Invalid credentials) means really a wrong password. Are you sure the password was not mistyped (different keyboard layout or caps lock perhaps) ? Did you try the web UI migration? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project