<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/26/2015 02:29 PM, Prasun Gera
wrote:<br>
</div>
<blockquote
cite="mid:CAFLz+Bm-1P0b58-6gjReR9iS74BNR9-FbYn_ANi7bJ2KXiUUng@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div>I followed <a moz-do-not-send="true"
href="https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords">https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords</a>
in order to migrate our NIS installation, and for the most
part it worked. The server responds to ypcat from the NIS
clients, and users can log in. However, I'm seeing a couple of
weird issues. Normally, ypcat returns
"username:cryptpass:uid:gid:gecos:homedir:shell" for users
and authentication works fine. For new users that were added
directly to IPA, instead of the cryptpass, I see an
asterisk(*), which is also understandable. However, for a
couple of migrated users, I'm seeing that their cyrptpasses
have also been replaced with *s (in ypcat's output) over the
course of time. This creates problems for authentication on
clients that haven't been migrated, and they can't log in with
their passwords. These users didn't explicitly call kinit or
go to the webui for migration. Is it normal for the crypt
passes to be replaced by *? I migrated a couple of clients,
and these users would have sshed to the migrated clients or
possibly to the server. That didn't seem to affect ypcat's
behaviour directly, and yet that is the only thing I can think
of that has any connection to this. </div>
<div><br>
</div>
<div>Regards,</div>
<div>Prasun </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
Based on what you describe I assume that you:<br>
- Migrated users to IPA<br>
- Enabled slapi-nis plugin<br>
- Use old clients with slapi-nis as a NIS server and expect to be
able to authenticate with new and old users against IPA NIS map.<br>
<br>
Right?<br>
<br>
So the authentication does not work and this is by design since
passwords in files are insecure and distributing them centrally as
NIS did is security problem.<br>
The suggestion is to change the authentication method on old clients
to LDAP or Kerberos first, whatever they support (they usually do
even if they are quite old), and leave NIS for identity information
only since some old clients do not support LDAP for that part and
only support NIS.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>