[Freeipa-users] Migration mode
Jitse Klomp
jitseklomp at gmail.com
Mon Mar 10 12:55:57 UTC 2014
Hello all,
I'm migrating our OpenLDAP-based IdM-system to IPA. Instead of using
migrate-ds I used some custom scripts to import all of our users (~250)
and groups (~85) with IPA commands (ipa user-add etc.). To move
passwords I configured the ipa-server to run in migration mode and did
an ldapmodify like this:
dn: uid=jitse,cn=users,cn=accounts,dc=domain,dc=nl
changetype: modify
replace: userPassword
userPassword: {SHA}hash
Logging in to a machine running CentOS and ipa-client for the first time
works like a charm, a krbPrincipalKey is generated and Kerberos 'just'
works. However, logging in to Fedora 20 for the first time throws a
'permission denied'. Logging in to Fedora works after logging in to
CentOS or the IPA migration web ui.
sssd_domain.nl.log, loglevel 6
Fedora log: http://pastebin.centos.org/8281/
CentOS log: http://pastebin.centos.org/8286/
Additional details:
IPA server: CentOS 6.5, ipa-server-3.0.0-37.el6.x86_64
Client 1: CentOS 6.5, ipa-client-3.0.0-37.el6.x86_64
Client 2: Fedora 20, freeipa-client-3.3.3-4.fc20.x86_64
Both CentOS and Fedora are fully up-to-date using only the base repos.
Config of the clients is done with ipa-client-install.
What am I doing wrong?
- Jitse
More information about the Freeipa-users
mailing list