[Freeipa-users] Problem migrating passwords fro NIS to IdM

Tue Nov 18 22:58:07 UTC 2014

Roderick Johnstone wrote:
> On 18/11/2014 22:19, Dmitri Pal wrote:
>> On 11/18/2014 12:57 PM, Roderick Johnstone wrote:
>>> Hi
>>>
>>> I'm trying to migrate some nis accounts to RHEL 6 IdM while still
>>> keeping the original passwords.
>>>
>>> I followed the instructions at:
>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
>>>
>>> The passwords are in SHA-512 format and I have been testing the
>>> migration with commands like this (generated via a script from my nis
>>> passwd file) on my IdM server:
>>>
>>> $ ipa user-add xxx --first=NIS --last=USER --gidnumber=xxxx --uid=xxxx
>>> '--gecos=test account' --homedir=/home/xxxx --shell=/bin/bash
>>> --setattr userpassword='{SHA-512}xxxxxxx'
>>>
>>> where the xxxxxxx is the hashed password from the NIS password file
>>> with the leading $6$ stripped off.
>>>
>>> Then I remove nis from the passwd: line in /etc/nsswitch.conf so I'm
>>> left with:
>>> passwd:     files   sss
>>>
>>> and the account that I migrated cannot log in.
>>>
>>> From the sssd log file (below) it looks like its trying to migrate the
>>> password but failing with an LDAP authentication failure.
>>>
>>> I'd appreciate any pointers to how to find out whats going wrong here.
>>>
>>> Accounts which I created manually in the web gui are working ok.
>>>
>>> Thanks
>>>
>>> Roderick Johnstone
>>>
>>> Part of sssd log file
>>> =====================
>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>> [set_server_common_status] (0x0100): Marking server 'xxx.xxx.xxx.xxx'
>>> as 'working'
>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>> [fo_set_port_status] (0x0400): Marking port 0 of duplicate server
>>> 'xxx.xxx.xxx.xxx' as 'working'
>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>> [ipa_migration_flag_connect_done] (0x0400): Assuming Kerberos password
>>> is missing, starting password migration.
>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_send]
>>> (0x0100): Executing simple bind as:
>>> uid=xxx,cn=users,cn=accounts,dc=xxx,dc=xxx,dc=xxx,dc=xxx
>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_done]
>>> (0x0400): Bind result: Invalid credentials(49), no errmsg set
>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>> [ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
>>> migration not possible.
>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>> [be_pam_handler_callback] (0x0100): Backend returned: (0, 8, <NULL>)
>>> [Success]
>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>> [be_pam_handler_callback] (0x0100): Sending result [8][xxx.xxx.xxx]
>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>> [be_pam_handler_callback] (0x0100): Sent result [8][xxx.xxx.xxx]
>>>
>>
>> Did you enable migration mode on the IPA server?
>>
> 
> Yes, I ran:
> ipa config-mod --enable-migration=true
> on the IPA server.
> 
> Roderick
> 

The has name probably needs to match something in cn=Password Storage
Schemes,cn=plugins,cn=config.

I'd try either {SHA512} or {SSHA512} and see if one of those works better.

rob