[Freeipa-users] Understanding the migration mode

Rob Crittenden rcritten at redhat.com
Fri Mar 27 14:08:21 UTC 2015 

Prasun Gera wrote:
> 
>     The passwords will only show if they are in {crypt} format. If the
>     password is changed in IPA it will use the default 389-ds password
>     scheme which is a salted SHA.
> 
> 
> Yes, that's right. If the password is changed in IPA afterwards, it will
> stop working for NIS clients. This is the expected behaviour and that's
> fine. 
> 
>  
> 
>     It may be, though I didn't think this was
>     the case, that the password is being re-hashed during kerberos key
>     generation.
> 
> 
> The kerberos keys for these users shouldn't be generated at all right ?
> So far I have been using the special webui page (/ipa/migration) to
> elevate old users to regular IPA users. The migration webui page needs
> the plaintext password in order to generate the kerberos keys. Until the
> migration step is complete, there are no kerberos keys. And that seems
> all right. i.e. Elevation to IPA users should happen only intentionally.

Keys can be generated in migration in two ways: by the migration web UI
or by sssd. I'm guessing you were unaware of this second method and that
is how the keys are being created.

>     How long will you need to keep these legacy systems? This sharing of the
>     password hashes is one of the (many) reasons people are migrating
>     from NIS.
> 
>  
> These clients are actually not even that old. Most of them are on Ubuntu
> 12.04 or thereabouts. IPA client support on Ubuntu systems seems to be a
> bit buggy. I did manage to get it to work with ppas for ipa and sssd
> after some minor changes. This has improved in 14.04 from what I read,
> and it might be a better idea to bring the clients up to that before
> migrating. 

I'd suggest using nss_ldap over NIS. You can also manually configure
Kerberos and have basic functionality as long as nscld doesn't drive you
crazy.

AFAIK there is just one guy donating his time to create the ppas for
Debian for all the related IPA client and server packages, in his spare
time. I imagine he has to pick his battles carefully.

> 
>     A fix may be to change the 389-ds password hashing scheme to crypt but
>     that may just let these NIS systems linger forever. So it's the typical
>     balance of usability vs security.
> 
> 
> I don't think the problem is the hashing scheme itself.  The old users'
> passwords were encrypted using MD5 and that's how I had imported them.
> Changing the scheme to something else after importing won't affect these
> passwords anyway right ? Or do you mean that if I change 389-ds's scheme
> to MD5 now, even if these users are elevated to IPA users, their hashes
> will continue to be visible from NIS clients. I thought the encryption
> scheme itself, and whether on not NIS clients see the encrypted password
> were two separate issues. 

It's not the encryption type, it is how it is encoded in 389-ds. When
you migrated the passwords they were stored as {crypt}hash. When the
password is changed in 389-ds it becomes {SSHA}hash. The NIS
configuration for slapi-nis only provides those passwords prefixed with
{crypt} (because NIS can only grok that format).

rob

More information about the Freeipa-users mailing list