<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 05/05/2015 03:48 PM, Alan Evans
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAMFVOoUjHEU9yveG8SEOEGyyNTvpmykZZWndU4i255tCTRN8pQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>
              <div>
                <div>
                  <div>
                    <div>Hello, I thought I saw something like this
                      asked before but after searching the archive it
                      seems I can't find it.<br>
                      <br>
                    </div>
                    I am using FreeIPA 3.3.3 on Cent 7 from EPEL.  Is it
                    possible using native ldap tools, ldapadd and
                    ldappasswd in particular, for user creation and
                    password management?<br>
                    <br>
                  </div>
                  I am trying to use an IDM to synchronize accounts from
                  one directory to FreeIPA.  The IDM does not have
                  native FreeIPA support but does have LDAP support.<br>
                  <br>
                </div>
                I have successfully gotten some objects created but I am
                having problems with their passwords.<br>
                <br>
              </div>
              I have tried using <a moz-do-not-send="true"
                href="https://ipa/ui/migration">https://ipa/ui/migration</a>,
              resetting passwords in IPA UI, ldappasswd and the ipa-cli
              but when I kinit these users I get the following.<br>
              <br>
              <br>
              May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>: CLIENT
              KEY EXPIRED: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for krbtgt/<a moz-do-not-send="true"
                href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
              Password has expired<br>
              May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>:
              NEEDED_PREAUTH: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for kadmin/<a moz-do-not-send="true"
                href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a>,
              Additional pre-authentication required<br>
              May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>:
              NEEDED_PREAUTH: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for krbtgt/<a moz-do-not-send="true"
                href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
              Additional pre-authentication required<br>
              May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>: CLIENT
              KEY EXPIRED: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for krbtgt/<a moz-do-not-send="true"
                href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
              Password has expired<br>
              May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>:
              NEEDED_PREAUTH: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for kadmin/<a moz-do-not-send="true"
                href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a>,
              Additional pre-authentication required<br>
              May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>:
              NEEDED_PREAUTH: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for krbtgt/<a moz-do-not-send="true"
                href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
              Additional pre-authentication required<br>
              May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>: CLIENT
              KEY EXPIRED: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for krbtgt/<a moz-do-not-send="true"
                href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
              Password has expired<br>
              May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>:
              NEEDED_PREAUTH: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for kadmin/<a moz-do-not-send="true"
                href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a>,
              Additional pre-authentication required<br>
              May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>: CLIENT
              KEY EXPIRED: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for krbtgt/<a moz-do-not-send="true"
                href="mailto:EXAMPLE.COM@EXAMPLE.COM">EXAMPLE.COM@EXAMPLE.COM</a>,
              Password has expired<br>
              May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6
              etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
                href="http://10.131.144.139">10.131.144.139</a>:
              NEEDED_PREAUTH: <a moz-do-not-send="true"
                href="mailto:foouser@EXAMPLE.COM">foouser@EXAMPLE.COM</a>
              for kadmin/<a moz-do-not-send="true"
                href="mailto:changepw@EXAMPLE.COM">changepw@EXAMPLE.COM</a>,
              Additional pre-authentication required<br>
              <br>
              <br>
            </div>
            I did get a few google hits on 'CLIENT KEY EXPIRED' but I am
            not sure I understand what they're referring to and if they
            apply in this situation.<br>
            <br>
          </div>
          Thank you,<br>
        </div>
        -Alan<br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    This might be caused by the mismatch of the LDAP password hashes.<br>
    The password hashes that you had in other directory might not have
    the right hash types.<br>
    <br>
    There is a way to change the hashing scheme in IPA directory so that
    hashes would become accepted but I do not recall the setting from
    top of my head.<br>
    In general this is not yet supported. We are working on the feature
    for 4.2.<br>
    <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/User_Life-Cycle_Management">http://www.freeipa.org/page/V4/User_Life-Cycle_Management</a><br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>