I figured it out. The problem was the user's UID being too low. In the client's /var/log/secure log, I found this:
sshd[25010]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "user1" The user that was failing to authenticate via password had a UID lower than 1000. When I allowed IPA to set a random UID, the login with migrated password worked (although it didn't prompt to reset password for this user and I'm still figuring out NFSv4 access for users). The NIS domain I am migrating from is several years old, from the era when it was normal to have users start in the 500s. So, I need to migrate UIDs simultaneously. On Thu, Jun 30, 2016 at 8:16 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Joanna Delaporte wrote: > >> I am migrating an NIS domain to IPA. I have attempted to follow the >> instructions >> <http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords> >> for >> NIS account crypted password migration, but I haven't yet successfully >> used password authentication to log in to remote machines. >> >> The instructions expect I would migrate DES-encrypted passwords, but I >> have a mixture of md5 and sha512-encrypted passwords. Do I need to >> follow a different process, or am I chasing the wrong problem? >> >> This is my first IPA realm. >> > > If you have crypt-compatible passwords ($6$<huge string>) then just pass > it in as {crypt}$6$... and it should work fine. > > You can ONLY set a pre-hashed password in migration mode AND when adding > the user. You can't add the user then set a hashed password. > > rob > > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project