[Freeipa-users] Understanding the migration mode

Prasun Gera prasun.gera at gmail.com
Fri Mar 27 10:35:03 UTC 2015 

>
>
> The passwords will only show if they are in {crypt} format. If the
> password is changed in IPA it will use the default 389-ds password
> scheme which is a salted SHA.


Yes, that's right. If the password is changed in IPA afterwards, it will
stop working for NIS clients. This is the expected behaviour and that's
fine.



> It may be, though I didn't think this was
> the case, that the password is being re-hashed during kerberos key
> generation.


The kerberos keys for these users shouldn't be generated at all right ? So
far I have been using the special webui page (/ipa/migration) to elevate
old users to regular IPA users. The migration webui page needs the
plaintext password in order to generate the kerberos keys. Until the
migration step is complete, there are no kerberos keys. And that seems all
right. i.e. Elevation to IPA users should happen only intentionally.


>
> How long will you need to keep these legacy systems? This sharing of the
> password hashes is one of the (many) reasons people are migrating from NIS.
>

These clients are actually not even that old. Most of them are on Ubuntu
12.04 or thereabouts. IPA client support on Ubuntu systems seems to be a
bit buggy. I did manage to get it to work with ppas for ipa and sssd after
some minor changes. This has improved in 14.04 from what I read, and it
might be a better idea to bring the clients up to that before migrating.


>
> A fix may be to change the 389-ds password hashing scheme to crypt but
> that may just let these NIS systems linger forever. So it's the typical
> balance of usability vs security.
>

I don't think the problem is the hashing scheme itself.  The old users'
passwords were encrypted using MD5 and that's how I had imported them.
Changing the scheme to something else after importing won't affect these
passwords anyway right ? Or do you mean that if I change 389-ds's scheme to
MD5 now, even if these users are elevated to IPA users, their hashes will
continue to be visible from NIS clients. I thought the encryption scheme
itself, and whether on not NIS clients see the encrypted password were two
separate issues.



>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150327/a025486d/attachment.htm>

More information about the Freeipa-users mailing list