Re: [Freeipa-users] Is kerberos DB import to IPA possible?
On 09/13/2013 12:24 PM, Simo Sorce wrote: > On Thu, 2013-09-12 at 11:23 -0400, sergey ivanov wrote: >> Hi, >> I am looking for deployment of freeIPA in our organization. We have >> kerberos servers used for authentication on our computers and in >> applications, while users are mostly defined in /etc/passwd. >> For migration of user's password I have tried the way we usually do >> replicating password changes from master kerberos server to slaves. I >> did kdb5_util dump on old servers, transferred the dump to machine >> running FreeIPA, and was not able to do kdb5_util load -update, >> because of "Kerberos database constraints violated". Is there a way to >> import into freeIPA kerberos servers dump of kerberos principals, >> dumped by kdb5_util? >> > You could *try* do it *after* you create all users in freeipa, but I > think you'd break something. At the very least you would break plain > text binds as you would not generate the userPassword hash, not sure > what else, and I cannot guarantee it really works all the way. > > Simo. > So the answer is no, not the way you envisioned it. You need to get users from KDC DB. Reformat into and LDIF or just script invocation of the ipa user-add command. You would need to set temp passwords for users. Users would have to change their passwords on the first login. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Is kerberos DB import to IPA possible?
On Thu, 2013-09-12 at 11:23 -0400, sergey ivanov wrote: > Hi, > I am looking for deployment of freeIPA in our organization. We have > kerberos servers used for authentication on our computers and in > applications, while users are mostly defined in /etc/passwd. > For migration of user's password I have tried the way we usually do > replicating password changes from master kerberos server to slaves. I > did kdb5_util dump on old servers, transferred the dump to machine > running FreeIPA, and was not able to do kdb5_util load -update, > because of "Kerberos database constraints violated". Is there a way to > import into freeIPA kerberos servers dump of kerberos principals, > dumped by kdb5_util? > You could *try* do it *after* you create all users in freeipa, but I think you'd break something. At the very least you would break plain text binds as you would not generate the userPassword hash, not sure what else, and I cannot guarantee it really works all the way. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Is kerberos DB import to IPA possible?
Hi, I am looking for deployment of freeIPA in our organization. We have kerberos servers used for authentication on our computers and in applications, while users are mostly defined in /etc/passwd. For migration of user's password I have tried the way we usually do replicating password changes from master kerberos server to slaves. I did kdb5_util dump on old servers, transferred the dump to machine running FreeIPA, and was not able to do kdb5_util load -update, because of "Kerberos database constraints violated". Is there a way to import into freeIPA kerberos servers dump of kerberos principals, dumped by kdb5_util? -- Regards, Sergey Ivanov | serge...@gmail.com http://www.linkedin.com/pub/sergey-ivanov/8/270/a09 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users