[Freeipa-users] How to migrate users with md5 and sha512 passwords

[Joanna Delaporte]

I figured it out. The problem was the user's UID being too low. In the
client's /var/log/secure log, I found this:

sshd[25010]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met
by user "user1"

The user that was failing to authenticate via password had a UID lower than
1000. When I allowed IPA to set a random UID, the login with migrated
password worked (although it didn't prompt to reset password for this user
and I'm still figuring out NFSv4 access for users). The NIS domain I am
migrating from is several years old, from the era when it was normal to
have users start in the 500s. So, I need to migrate UIDs simultaneously.

On Thu, Jun 30, 2016 at 8:16 AM, Rob Crittenden <rcritten at redhat.com> wrote:

> Joanna Delaporte wrote:
>
>> I am migrating an NIS domain to IPA. I have attempted to follow the
>> instructions
>> <http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords>
>> for
>> NIS account crypted password migration, but I haven't yet successfully
>> used password authentication to log in to remote machines.
>>
>> The instructions expect I would migrate DES-encrypted passwords, but I
>> have a mixture of md5 and sha512-encrypted passwords. Do I need to
>> follow a different process, or am I chasing the wrong problem?
>>
>> This is my first IPA realm.
>>
>
> If you have crypt-compatible passwords ($6$<huge string>) then just pass
> it in as {crypt}$6$... and it should work fine.
>
> You can ONLY set a pre-hashed password in migration mode AND when adding
> the user. You can't add the user then set a hashed password.
>
> rob
>
>


-- 


Joanna Delaporte
Linux Systems Administrator | Parkland College
joannadelaporte at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160630/7897097c/attachment.htm>