On Tue, Sep 06, 2011 at 01:48:00PM -0400, Stephen Gallagher wrote: > On Thu, 2011-08-18 at 18:02 +0200, Jakub Hrozek wrote: > > On Thu, Aug 18, 2011 at 05:38:11PM +0200, Sumit Bose wrote: > > > On Thu, Aug 18, 2011 at 04:48:32PM +0200, Jan Zelený wrote: > > > > The patches look fine, but I didn't manage to set up environment to > > > > test the > > > > new behavior. Nothing seems to be broken though > > > > > > If you have a running IPA server you can remove the krbPrincipalKey > > > attribute from a user but keep userPassword. This should trigger sssd to > > > run the migration code if you try to log in as this user. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > If that doesn't work for you, feel free to ping me off list and use my > > test environment. > > I was trying to test this, but instead of quietly creating the kerberos > password, it's prompting me to change the password. I wonder if this is > related to LDAP password policy? I cannot ack this until we figure out > why this is happening.
Interesting, I haven't hit this issue. I have tested the migration with IPA server nightlies, today it's freeipa-server-2.99.0GITf323d81-0. My testing involved creating a bunch of users in 389-ds, migrating them to IPA with the migrate-ds script and then logging in with the LDAP password. The login went OK and "klist" shows a ticket was granted, also "ipa user-show --all --raw" tells the Kerberos attributes were generated, including krblastsuccessfulauth. I suggest we discuss the patches on #sssd. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
