On Аўт, 05 сак 2024, ITreers UA via FreeIPA-users wrote:
As I understand my problem isn't related to SID probably. All my users obtained correct (as I think) SIDs after the migration. But I have such different logs for the admin user (was not migrated) and for the test.1 user which was migrated from the old FreeIPA 4.6.8 on CentOS7 the the new Ubuntu 22.04 docker instance of the FreeIPA 4.10.2 with the same realm, but on the different domain.
The migration was made with the command:
ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry,ipaNTSecurityIdentifier,pwmlastpwdupdate,pwmeventlog} --user-ignore-objectclass={mepOriginEntry,pwmuser,ipaNTUserAttrs} --group-ignore-attribute=ipaNTSecurityIdentifier --group-ignore-objectclass=ipaNTGroupAttrs --exclude-users={pwm.proxy,pwm.test} --exclude-groups={pwm.proxy,pwm.test} --group-overwrite-gid --with-compat ldaps://old.somedomain.net
[root@ldap-2 /]# KRB5_TRACE=/dev/stderr kinit admin 2>&1 [7363] 1709655365.522471: Getting initial credentials for admin@SOMEDOMAIN.NET [7363] 1709655365.522473: Sending unauthenticated request [7363] 1709655365.522474: Sending request (169 bytes) to SOMEDOMAIN.NET [7363] 1709655365.522475: Initiating TCP connection to stream 172.18.0.3:88 [7363] 1709655365.522476: Sending TCP request to stream 172.18.0.3:88 [7363] 1709655365.522477: Received answer (526 bytes) from stream 172.18.0.3:88 [7363] 1709655365.522478: Terminating TCP connection to stream 172.18.0.3:88 [7363] 1709655365.522479: Response was from primary KDC [7363] 1709655365.522480: Received error from KDC: -1765328359/Additional pre-authentication required [7363] 1709655365.522483: Preauthenticating using KDC method data [7363] 1709655365.522484: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [7363] 1709655365.522485: Selected etype info: etype aes256-sha2, salt "1u\ ]=_tjHbc>-/e", params "" [7363] 1709655365.522486: Received cookie: MIT1\x00\x00\x00\x01\x1b\xb8\x99\xd8b\x8b\xe8\xc0\xe1\xca\x82\x0c\x9c"\x06\x7f3\x83o]\xbb\x172\xb5A\x053\ni\xd1\x88\x1e&>\xaaS\xd9\x15|\x84\xdb\xe9\xb1azEs\x99\xfb\x91\xaa\xb5\x08\x9c+\xb1\xb6\x02\xba\x85\x08 \xa1RV\x7f\xd3\xa3\x0b\x99\x9e\xda\xbap?U\xde\xd3\x9c\x0d\xe9T\x98\xbc+\xc4\xe8|\x7f=\xfa\x1f\xde\xae\x93\x12\x81m\xc2\xf5cFs\xf7\x12\x157\xb8c\xd1\x11\x9c\x8d\xa8\xf2\x9b\xd5\x94X\xb2%\x08\x91\x11a?L\x03d\xbc5\x9f4GmV\xa96fe [7363] 1709655365.522487: PKINIT client has no configured identity; giving up [7363] 1709655365.522488: Preauth module pkinit (147) (info) returned: 0/Success [7363] 1709655365.522489: PKINIT client received freshness token from KDC [7363] 1709655365.522490: Preauth module pkinit (150) (info) returned: 0/Success [7363] 1709655365.522491: PKINIT client has no configured identity; giving up [7363] 1709655365.522492: Preauth module pkinit (16) (real) returned: 22/Invalid argument [7363] 1709655365.522493: SPAKE challenge received with group 1, pubkey 22D477D5D4218DC8C5FFF38EC21FE6E08D9A6488F3F96D69A3D6D15C929D2EC2 Password for admin@SOMEDOMAIN.NET: [7363] 1709655418.745247: SPAKE key generated with pubkey 344A6368A2BE4535EB68237F9996F92FF4418A19661AFA4B5B84CE5780DF909A [7363] 1709655418.745248: SPAKE algorithm result: F630A33BAA4143B978F659D6A401A53174E43A82E6F70140BA99CAC959A2C29F [7363] 1709655418.745249: SPAKE final transcript hash: 9CF0C027377C1287D946DB78876076A46B97D95E962AA30A05634184107222F9 [7363] 1709655418.745250: Sending SPAKE response [7363] 1709655418.745251: Preauth module spake (151) (real) returned: 0/Success [7363] 1709655418.745252: Produced preauth for next request: PA-FX-COOKIE (133), PA-SPAKE (151) [7363] 1709655418.745253: Sending request (452 bytes) to MEA-DEV.NET [7363] 1709655418.745254: Initiating TCP connection to stream 172.18.0.3:88 [7363] 1709655418.745255: Sending TCP request to stream 172.18.0.3:88 [7363] 1709655418.745256: Received answer (1761 bytes) from stream 172.18.0.3:88 [7363] 1709655418.745257: Terminating TCP connection to stream 172.18.0.3:88 [7363] 1709655418.745258: Response was from primary KDC [7363] 1709655418.745259: Processing preauth types: PA-ETYPE-INFO2 (19) [7363] 1709655418.745260: Selected etype info: etype aes256-sha2, salt "1u\ ]=_tjHbc>-/e", params "" [7363] 1709655418.745261: Produced preauth for next request: (empty) [7363] 1709655418.745262: AS key determined by preauth: aes256-sha2/B7BD [7363] 1709655418.745263: Decrypted AS reply; session key is: aes256-sha2/5E1A [7363] 1709655418.745264: FAST negotiation: available [7363] 1709655418.745265: Resolving unique ccache of type MEMORY [7363] 1709655418.745266: Initializing MEMORY:yGYZJ2v with default princ admin@SOMEDOMAIN.NET [7363] 1709655418.745267: Storing config in MEMORY:yGYZJ2v for krbtgt/SOMEDOMAIN.NET@SOMEDOMAIN.NET: fast_avail: yes [7363] 1709655418.745268: Storing admin@SOMEDOMAIN.NET -> krb5_ccache_conf_data/fast_avail/krbtgt/SOMEDOMAIN.NET@SOMEDOMAIN.NET@X-CACHECONF: in MEMORY:yGYZJ2v [7363] 1709655418.745269: Storing config in MEMORY:yGYZJ2v for krbtgt/SOMEDOMAIN.NET@SOMEDOMAIN.NET: pa_type: 151 [7363] 1709655418.745270: Storing admin@SOMEDOMAIN.NET -> krb5_ccache_conf_data/pa_type/krbtgt/SOMEDOMAIN.NET@SOMEDOMAIN.NET@X-CACHECONF: in MEMORY:yGYZJ2v [7363] 1709655418.745271: Storing admin@SOMEDOMAIN.NET -> krbtgt/SOMEDOMAIN.NET@SOMEDOMAIN.NET in MEMORY:yGYZJ2v [7363] 1709655418.745272: Moving ccache MEMORY:yGYZJ2v to FILE:/tmp/krb5cc_0 [7363] 1709655418.745273: Destroying ccache MEMORY:yGYZJ2v
and for the test.1 (migrated user)
KRB5_TRACE=/dev/stderr kinit test.1 2>&1 [7364] 1709655454.364392: Getting initial credentials for test.1@SOMEDOMAIN.NET [7364] 1709655454.364394: Sending unauthenticated request [7364] 1709655454.364395: Sending request (170 bytes) to SOMEDOMAIN.NET [7364] 1709655454.364396: Initiating TCP connection to stream 172.18.0.3:88 [7364] 1709655454.364397: Sending TCP request to stream 172.18.0.3:88 [7364] 1709655454.364398: Received answer (250 bytes) from stream 172.18.0.3:88 [7364] 1709655454.364399: Terminating TCP connection to stream 172.18.0.3:88 [7364] 1709655454.364400: Response was from primary KDC [7364] 1709655454.364401: Received error from KDC: -1765328359/Additional pre-authentication required [7364] 1709655454.364404: Preauthenticating using KDC method data [7364] 1709655454.364405: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [7364] 1709655454.364406: Received cookie: MIT [7364] 1709655454.364407: PKINIT client has no configured identity; giving up [7364] 1709655454.364408: Preauth module pkinit (147) (info) returned: 0/Success [7364] 1709655454.364409: PKINIT client received freshness token from KDC [7364] 1709655454.364410: Preauth module pkinit (150) (info) returned: 0/Success [7364] 1709655454.364411: PKINIT client has no configured identity; giving up [7364] 1709655454.364412: Preauth module pkinit (16) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials
Look at the preauth types. The second user has no password, hence no PA-SPAKE or PA-ENC-TIMESTAMP preauthentication methods.
Once migrated via 'ipa migrate-ds', users will lack Kerberos keys. You need to follow migration instructions and enable migration mode, then login for this user through SSSD or a web page for migration.