[Freeipa-users] Generating SIDs for old user accounts on FreeIPA 3.0
Nicklas Björk
nicklas.bjork at skalarit.se
Mon Nov 11 13:25:45 UTC 2013
Hi list,
We are running FreeIPA 3.0 with an installation that has been with us
since the 2.x-era. We had a situation where we needed the NT password
hash, which wasn't generated in earlier versions of FreeIPA, and would
not be available for old user accounts even on this newer version. New
user accounts would get them set upon creation.
On #freeipa at FreeNode, ab was kind enough to guide me through the
process of starting an ldap-task to add the needed attributes to the old
accounts. I thought I'd share this in case anyone else would ask the
same question. The procedure is also described on slide 11 in this
presentation http://www.freeipa.org/images/4/49/Freeipa30_Trust_Basics.odp.
1) Make sure you have /usr/lib{,64}/dirsrv/plugins/libipa_sidgen.so and
/usr/lib{,64}/dirsrv/plugins/libipa_sidgen_task.so on your system.
2) Copy /usr/share/ipa/ipa-sidgen-task-run.ldif, edit nsslapd-basedn to
match your base dn. (grep basedn /etc/ipa/default.conf | cut -d= -f2-)
3) ldapadd the ldif to cn=config, to start the task.
I am not sure under which circumstances when the NT hash is
automagically updated, but setting a new user password did update all
password fields.
Best regards,
Nicklas Björk
More information about the Freeipa-users
mailing list