[Freeipa-users] Understanding the migration mode

Dmitri Pal dpal at redhat.com
Thu Mar 26 21:59:18 UTC 2015 

On 03/26/2015 02:29 PM, Prasun Gera wrote:
> Hello,
> I followed 
> https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords 
> in order to migrate our NIS installation, and for the most part it 
> worked. The server responds to ypcat from the NIS clients, and users 
> can log in. However, I'm seeing a couple of weird issues. Normally, 
> ypcat returns "username:cryptpass:uid:gid:gecos:homedir:shell"  for 
> users and authentication works fine. For new users that were added 
> directly to IPA, instead of the cryptpass, I see an asterisk(*), which 
> is also understandable. However, for a couple of migrated users, I'm 
> seeing that their cyrptpasses have also been replaced with *s (in 
> ypcat's output) over the course of time. This creates problems for 
> authentication on clients that haven't been migrated, and they can't 
> log in with their passwords. These users didn't explicitly call kinit 
> or go to the webui for migration. Is it normal for the crypt passes to 
> be replaced by *? I migrated a couple of clients, and these users 
> would have sshed to the migrated clients or possibly to the server. 
> That didn't seem to affect ypcat's behaviour directly, and yet that is 
> the only thing I can think of that has any connection to this.
>
> Regards,
> Prasun
>
>

Based on what you describe I assume that you:
- Migrated users to IPA
- Enabled slapi-nis plugin
- Use old clients with slapi-nis as a NIS server and expect to be able 
to authenticate with new and old users against IPA NIS map.

Right?

So the authentication does not work and this is by design since 
passwords in files are insecure and distributing them centrally as NIS 
did is security problem.
The suggestion is to change the authentication method on old clients to 
LDAP or Kerberos first, whatever they support (they usually do even if 
they are quite old), and leave NIS for identity information only since 
some old clients do not support LDAP for that part and only support NIS.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150326/6ba40534/attachment.htm>

More information about the Freeipa-users mailing list