ITreers UA via FreeIPA-users wrote:
Thank you for the reply.
As I understood from your reply it's not possible to migrate passwords without "migration" procedure after the ipa migrate-ds? During my test migrations from earlier (start of the last month) I have managed to migrate and login with old passwords after the ipa migrate-ds. I used docker image "#rocky-9" and until image was updated with the new OS version or some security updates I don't know I have 2 or 3 successful attempt of the migration of users with the passwords. I was able to login using kinit and web. How it possible?
I think you are overusing the word migrate. After migrate-ds the users only have an LDAP password at best. In order to generate Kerberos keys they need to authenticate to LDAP while IPA is still in migration mode (ipa config-mod --enable-migration).
Logging into an IPA-enrolled client will do this key generation automatically if IPA is still in migration mode. Or, as Alexander said, there is a web site for this as well.
If you turn off the IPA migration then you will need to reset users's passwords so that keys can be generated.
rob