Hello,
I am deploying FreeIPA (RHEL IdM) for a client that wants to use it to replace NIS. To
ensure user convenience we want to migrate user accounts from the NIS map including
(hashed) passwords.
We have followed the FreeIPA guide for migration with
passwords<https://www.freeipa.org/page/NIS_accounts_migration_preservi...
(as well as the Red Hat NIS migration
guide<https://access.redhat.com/documentation/en-us/red_hat_enterprise...)
to develop migration scripts that import the required maps.
Everything is working fine, except the importing of hashed passwords. As the guide
specifies, the import script creates a new user by calling the following:
ipa user-add $username --first=NIS --last=USER [...more arguments...] --setattr
userpassword=$password
In this context, $password is the hashed password from the NIS passwd map (which is hashed
with DEScrypt) with the {crypt}-prefix as required by 389-DS, as below.
encpass=$(echo $line | cut -f2 -d:)
password="{crypt}$encpass"
Subsequently, we try to finalize account migration by accessing the migration page
https://ipa.clientdomain.loc/ipa/migration as well as attempting to connect to an
onboarded host's SSH, but the credentials seem to fail (ergo no Kerberos hash can be
generated).
The ssh auth log throws the below log message, the IPA migration page fails with an
"incorrect username or password" message.
pam_sss(sshd:auth): received for user testvry: 8 (Insufficient credentials
to access authentication data)
We have performed this procedure with test users as well as actual users from the NIS map
to no avail. We have also tried all variants of password quoting, capitalizing, etc. Do
you have any idea what might be going wrong here?
Thanks a lot in advance!
Best regards,
Cas van Cooten
*Disclaimer:*
________________________________
This e-mail message and its attachments are subject to the disclaimer published at the
following website of Deloitte:
http://www2.deloitte.com/nl/nl/legal/Disclaimer.html
Deloitte Risk Advisory B.V is registered with the trade register in The Netherlands under
number 50340158.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company
limited by guarantee ("DTTL"), its network of member firms, and their related
entities. DTTL and each of its member firms are legally separate and independent entities.
DTTL (also referred to as "Deloitte Global") does not provide services to
clients. Please see
http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitt... for a more
detailed description of DTTL and its member firms.