<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/05/2015 03:48 PM, Alan Evans
wrote:<br>
</div>
<blockquote
cite="mid:CAMFVOoUjHEU9yveG8SEOEGyyNTvpmykZZWndU4i255tCTRN8pQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hello, I thought I saw something like this
asked before but after searching the archive it
seems I can't find it.<br>
<br>
</div>
I am using FreeIPA 3.3.3 on Cent 7 from EPEL. Is it
possible using native ldap tools, ldapadd and
ldappasswd in particular, for user creation and
password management?<br>
<br>
</div>
I am trying to use an IDM to synchronize accounts from
one directory to FreeIPA. The IDM does not have
native FreeIPA support but does have LDAP support.<br>
<br>
</div>
I have successfully gotten some objects created but I am
having problems with their passwords.<br>
<br>
</div>
I have tried using <a moz-do-not-send="true"
href="https://ipa/ui/migration">https://ipa/ui/migration</a>,
resetting passwords in IPA UI, ldappasswd and the ipa-cli
but when I kinit these users I get the following.<br>
<br>
<br>
May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>: CLIENT
KEY EXPIRED: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for krbtgt/<a moz-do-not-send="true"
href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
Password has expired<br>
May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for kadmin/<a moz-do-not-send="true"
href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a>,
Additional pre-authentication required<br>
May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for krbtgt/<a moz-do-not-send="true"
href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
Additional pre-authentication required<br>
May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>: CLIENT
KEY EXPIRED: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for krbtgt/<a moz-do-not-send="true"
href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
Password has expired<br>
May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for kadmin/<a moz-do-not-send="true"
href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a>,
Additional pre-authentication required<br>
May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for krbtgt/<a moz-do-not-send="true"
href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
Additional pre-authentication required<br>
May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>: CLIENT
KEY EXPIRED: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for krbtgt/<a moz-do-not-send="true"
href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
Password has expired<br>
May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for kadmin/<a moz-do-not-send="true"
href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a>,
Additional pre-authentication required<br>
May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>: CLIENT
KEY EXPIRED: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for krbtgt/<a moz-do-not-send="true"
href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
Password has expired<br>
May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.131.144.139">10.131.144.139</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
for kadmin/<a moz-do-not-send="true"
href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a>,
Additional pre-authentication required<br>
<br>
<br>
</div>
I did get a few google hits on 'CLIENT KEY EXPIRED' but I am
not sure I understand what they're referring to and if they
apply in this situation.<br>
<br>
</div>
Thank you,<br>
</div>
-Alan<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
This might be caused by the mismatch of the LDAP password hashes.<br>
The password hashes that you had in other directory might not have
the right hash types.<br>
<br>
There is a way to change the hashing scheme in IPA directory so that
hashes would become accepted but I do not recall the setting from
top of my head.<br>
In general this is not yet supported. We are working on the feature
for 4.2.<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/User_Life-Cycle_Management">http://www.freeipa.org/page/V4/User_Life-Cycle_Management</a><br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>