I tried enabling crypt for experimentation, and things seem to work well
for both NIS and SSSD clients. I noticed that the crypt format that the NIS
plugin in IPA provides is the traditional crypt format with a 2 character
salt and 13 character hash. NIS clients can understand newer crypt
encodings which allow MD5, SHA256 and SHA512 (
https://docs.python.org/3/library/crypt.html) . Is it possible to force one
of those as the storage scheme in the directory server ?

On Tue, Mar 31, 2015 at 12:04 PM, Prasun Gera <prasun.g...@gmail.com> wrote:

> I've figured it out. You are right. SSSD triggers key generation. For
> migrated clients though, since ypbind still runs and the NIS-plugin serves
> maps, they authenticate first using NIS before SSSD. If ypbind is stopped,
> it is forced to use SSSD, and then it triggers the migration. Thanks for
> persisting with this. It's pretty clear how it works now.
>
> On Tue, Mar 31, 2015 at 11:32 AM, Prasun Gera <prasun.g...@gmail.com>
> wrote:
>
>>
>>
>>> ? SSSD does not seem to be involved as user is found in the /etc/passwd
>>> and this SSSD should not do anything.
>>>
>>> It's not  a local user. There's no entry in /etc/passwd. Here's the
>> relevant sssd log
>>
>>
>> sssd_ssh
>>
>> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [sss_parse_name_for_domains]
>> (0x0200): name 'testuser2' matched without domain, user is testuser2
>> (Tue Mar 31 03:50:41 2015) [sssd[ssh]] [client_recv] (0x0200): Client
>> disconnected!
>> (Tue Mar 31 03:53:17 2015) [sssd[ssh]] [sss_cmd_get_version] (0x0200):
>> Received client version [0].
>>
>> sssd_pam
>>
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): domain:
>> ipadomain
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): user:
>> testuser2
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100):
>> service: sshd
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): tty: ssh
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): ruser:
>> not set
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): rhost:
>> host_ip
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): authtok
>> type: 0
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100):
>> newauthtok type: 0
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100):
>> cli_pid: 23983
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_print_data] (0x0100): logon
>> name: testuser2
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dom_forwarder] (0x0100):
>> pam_dp_send_req returned 0
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_dp_process_reply] (0x0100):
>> received: [0][ipadomain]
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): pam_reply
>> called with result [0].
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [pam_reply] (0x0200): blen: 27
>> (Tue Mar 31 03:53:54 2015) [sssd[pam]] [client_recv] (0x0200): Client
>> disconnected!
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to