Prasun Gera wrote:
> Yes, that is right. I added the users with ipa user-add [username]
> --setattr userpassword={crypt}yourencryptedpass
>
> Actually, the authentication does work for the users added this way.
> i.e. Without making any changes to NIS clients. I just repurposed the
> NIS server to be the IPA server, turned off the ypserv & yppasswd
> service, and enabled the slapi-nis plugin. So far so good, and the NIS
> clients continue to function normally. i.e. The NIS plugin on the IPA
> server DOES distribute the cryptpasses. I also didn't expect the old NIS
> clients to authenticate any new users added to IPA directly, and that is
> all right. I just want the clients to function for the existing users
> until they are migrated. The only thing that is slightly puzzling is
> that a couple of users have been migrated unintentionally, so to speak.
>
> A user can be explicitly migrated to IPA if (s)he generates the kerberos
> keys, at which point the slapi-nis stops distributing the crypt pass for
> that user. This is what I have observed so far, and it sounds
> reasonable. (This can also be confirmed with ipa user-show, which in
> case of these old users shows "Kerberos keys available: False", which
> turns to True once properly migrated. It can also be confirmed from the
> webui. The old password won't work in the webui until migrated, and once
> migrated, NIS cryptpasses will stop working).
>
> However, what I'm seeing is that in a couple of cases, the users have
> been migrated to IPA automatically. Their status shows Kerberos keys
> available: True, and their cryptpasses have changed to * in ypcat
> passwd's output.
The passwords will only show if they are in {crypt} format. If the
password is changed in IPA it will use the default 389-ds password
scheme which is a salted SHA. It may be, though I didn't think this was
the case, that the password is being re-hashed during kerberos key
generation.
How long will you need to keep these legacy systems? This sharing of the
password hashes is one of the (many) reasons people are migrating from NIS.
A fix may be to change the 389-ds password hashing scheme to crypt but
that may just let these NIS systems linger forever. So it's the typical
balance of usability vs security.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
