[Freeipa-users] Password migrating into IPA with SSSD failed

Stephen Gallagher sgallagh at redhat.com
Mon Apr 30 19:50:23 UTC 2012


> 
> The existing document states all the steps as listed below.
> 
>         A user tries to log into a machine with SSSD. 
>         SSSD attempts to perform Kerberos authentication against the
>         IPA server. 
>         Even though the user exists in the system, the authentication
>         will fail with the error key type is not supported because the
>         Kerberos hashes do not yet exist. 
>         SSSD the performs a plaintext LDAP bind over a secure
>         connection. 
>         IPA intercepts this bind request. If the user has a Kerberos
>         principal but no Kerberos hashes, then the IPA identity
>         provider generates the hashes and stores them in the user
>         entry. 
>         If authentication is successful, SSSD disconnects from IPA and
>         tries Kerberos authentication again. This time, the request
>         succeeds because the hash exists in the entry. 
> The steps 4-6 are a little difficult to understand: Are these steps
> SSSD/IPA's internal information exchange mechanism? or do I have to
> setup something at IPA client/server side to fullfill? like setup
> pam_ldap or nslcd/nss_ldap?
> 


Steps 4-6 are handled automatically by SSSD as long as it is configured
with 'id_provider = ipa' and 'auth_provider = ipa' (which is how
ipa-client-install configures it) and migration mode is enabled on the
server.

> 
> I've mirgated all my users and groups from openLDAP into IPA without
> user password/hash ( another bug here: needs
> --group-objectclas='posixGroup' option, and optionally
> --schema='RFC2307'), the passwords were not migrated, and so I tried
> the above method to setup new passwords seamlessly for users,
> unfortunately all tries failed.
> 

This is the problem. In order for seamless password migration to work,
you need to migrate the hashes. If we cannot bind with the old password,
we can't set that up for Kerberos.

What it sounds like you probably want to do (since you aren't keeping
the hashes) is just reset the passwords for all of your users, which
will require them to change it on first login. There's an admin command
'ipa passwd <username>' that can reset a user password. There may also
be tools to do this in bulk, but someone else will need to chime in
here.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120430/fb1298ce/attachment.sig>


More information about the Freeipa-users mailing list