[Freeipa-users] Problem migrating passwords fro NIS to IdM
Roderick Johnstone
rmj at ast.cam.ac.uk
Wed Nov 19 08:07:02 UTC 2014
On 18/11/2014 22:56, Jakub Hrozek wrote:
>
>> On 18 Nov 2014, at 23:23, Roderick Johnstone <rmj at ast.cam.ac.uk> wrote:
>>
>> On 18/11/2014 22:19, Dmitri Pal wrote:
>>> On 11/18/2014 12:57 PM, Roderick Johnstone wrote:
>>>> Hi
>>>>
>>>> I'm trying to migrate some nis accounts to RHEL 6 IdM while still
>>>> keeping the original passwords.
>>>>
>>>> I followed the instructions at:
>>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
>>>>
>>>> The passwords are in SHA-512 format and I have been testing the
>>>> migration with commands like this (generated via a script from my nis
>>>> passwd file) on my IdM server:
>>>>
>>>> $ ipa user-add xxx --first=NIS --last=USER --gidnumber=xxxx --uid=xxxx
>>>> '--gecos=test account' --homedir=/home/xxxx --shell=/bin/bash
>>>> --setattr userpassword='{SHA-512}xxxxxxx'
>>>>
>>>> where the xxxxxxx is the hashed password from the NIS password file
>>>> with the leading $6$ stripped off.
>>>>
>>>> Then I remove nis from the passwd: line in /etc/nsswitch.conf so I'm
>>>> left with:
>>>> passwd: files sss
>>>>
>>>> and the account that I migrated cannot log in.
>>>>
>>>> From the sssd log file (below) it looks like its trying to migrate the
>>>> password but failing with an LDAP authentication failure.
>>>>
>>>> I'd appreciate any pointers to how to find out whats going wrong here.
>>>>
>>>> Accounts which I created manually in the web gui are working ok.
>>>>
>>>> Thanks
>>>>
>>>> Roderick Johnstone
>>>>
>>>> Part of sssd log file
>>>> =====================
>>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>>> [set_server_common_status] (0x0100): Marking server 'xxx.xxx.xxx.xxx'
>>>> as 'working'
>>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>>> [fo_set_port_status] (0x0400): Marking port 0 of duplicate server
>>>> 'xxx.xxx.xxx.xxx' as 'working'
>>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>>> [ipa_migration_flag_connect_done] (0x0400): Assuming Kerberos password
>>>> is missing, starting password migration.
>>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_send]
>>>> (0x0100): Executing simple bind as:
>>>> uid=xxx,cn=users,cn=accounts,dc=xxx,dc=xxx,dc=xxx,dc=xxx
>>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]] [simple_bind_done]
>>>> (0x0400): Bind result: Invalid credentials(49), no errmsg set
>>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>>> [ipa_auth_ldap_done] (0x0080): LDAP authentication failed, Password
>>>> migration not possible.
>>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>>> [be_pam_handler_callback] (0x0100): Backend returned: (0, 8, <NULL>)
>>>> [Success]
>>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>>> [be_pam_handler_callback] (0x0100): Sending result [8][xxx.xxx.xxx]
>>>> (Tue Nov 18 10:47:22 2014) [sssd[be[xxx.xxx.xxx]]]
>>>> [be_pam_handler_callback] (0x0100): Sent result [8][xxx.xxx.xxx]
>>>>
>>>
>>> Did you enable migration mode on the IPA server?
>>>
>>
>> Yes, I ran:
>> ipa config-mod --enable-migration=true
>> on the IPA server.
>>
>> Roderick
>
> Sorry, I missed this thread involved SSSD logs.
>
> Normally, error 49 (Invalid credentials) means really a wrong password. Are you sure the password was not mistyped (different keyboard layout or caps lock perhaps) ?
>
Definitely not mistyped. I have tried lots of times.
Also tried typing the password in as username to check that each
character echos as expected, so pretty sure its not key layout issue.
> Did you try the web UI migration?
Not yet. I'll see if I can find some docs on how to do that.
>
More information about the Freeipa-users
mailing list