[Freeipa-users] Understanding the migration mode
Dmitri Pal
dpal at redhat.com
Fri Mar 27 20:55:59 UTC 2015
On 03/27/2015 01:20 PM, Prasun Gera wrote:
>
>
> Keys can be generated in migration in two ways: by the migration
> web UI
> or by sssd. I'm guessing you were unaware of this second method
> and that
> is how the keys are being created.
>
>
> That's what I suspected too. But it doesn't look like SSSD is
> generating keys. At least not right away. I SSHed to one of the
> clients with ipa-client installed as well as to the ipa-server, and
> that didn't change anything right away. That's what I was trying to
> figure out. i.e Which event triggers key generation ?
>
> I'd suggest using nss_ldap over NIS. You can also manually configure
> Kerberos and have basic functionality as long as nscld doesn't
> drive you
> crazy.
>
>
> Thanks. I'll look into it.
>
>
> It's not the encryption type, it is how it is encoded in 389-ds. When
> you migrated the passwords they were stored as {crypt}hash. When the
> password is changed in 389-ds it becomes {SSHA}hash. The NIS
> configuration for slapi-nis only provides those passwords prefixed
> with
> {crypt} (because NIS can only grok that format).
>
>
> rob
>
>
> Yeah that sounds like a possible fix, although a less than ideal one.
> Is it possible to change it back to {SSHA} after all the clients have
> been migrated suitably ? How would one force all the existing users'
> passwords to be converted to {SSHA} once slapi-nis is no longer needed ?
>
>
>
The idea is that you tel lall the users to either login via migration
page or via SSSD.
If your server is in a migration mode the migration page should be
available and SSSD should detect that server is in migration mode.
In this case any authentication via SSSD will end up creating proper
hashes for Kerberos. I suspect this is when the conversion of the LDAP
hashes happens too.
You suggested that this is not the case but I am not sure that the test
was 100 correct.
Please try:
- check that migration mode is on
- check that user does not have kerberos password only LDAP hash from
NIS migration
- ssh into a box that runs SSSD with such user, authenticate
As a result you should see Kerberos hash created for this user and I
suspect the LDAP hash is converted at the same time.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150327/5dd13d68/attachment.htm>
More information about the Freeipa-users
mailing list