I tried enabling crypt for experimentation, and things seem to work well for both NIS and SSSD clients. I noticed that the crypt format that the NIS plugin in IPA provides is the traditional crypt format with a 2 character salt and 13 character hash. NIS clients can understand newer crypt encodings which allow MD5, SHA256 and SHA512 ( https://docs.python.org/3/library/crypt.html) . Is it possible to force one of those as the storage scheme in the directory server ?
On Tue, Mar 31, 2015 at 12:04 PM, Prasun Gera <[email protected]> wrote: > I've figured it out. You are right. SSSD triggers key generation. For > migrated clients though, since ypbind still runs and the NIS-plugin serves > maps, they authenticate first using NIS before SSSD. If ypbind is stopped, > it is forced to use SSSD, and then it triggers the migration. Thanks for > persisting with this. It's pretty clear how it works now. > > On Tue, Mar 31, 2015 at 11:32 AM, Prasun Gera <[email protected]> > wrote: > >> >> >>> ? SSSD does not seem to be involved as user is found in the /etc/passwd >>> and this SSSD should not do anything. >>> >>> It's not a local user. There's no entry in /etc/passwd. Here's the >> relevant sssd log >> >> >> sssd_ssh >> >> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [sss_parse_name_for_domains] >> (0x0200): name 'testuser2' matched without domain, user is testuser2 >> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [client_recv] (0x0200): Client >> disconnected! >> (Tue Mar 31 03:53:17 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200): >> Received client version [0]. >> >> sssd_pam >> >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): domain: >> ipadomain >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): user: >> testuser2 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >> service: sshd >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser: >> not set >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost: >> host_ip >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok >> type: 0 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >> newauthtok type: 0 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): >> cli_pid: 23983 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): logon >> name: testuser2 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100): >> pam_dp_send_req returned 0 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100): >> received: [0][ipadomain] >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply >> called with result [0]. >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 27 >> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [client_recv] (0x0200): Client >> disconnected! >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
