Hi,
We're in the process of migrating from an OpenLDAP server to FreeIPA. As such the issue of password migration of course shows up. Unfortunately the automatic migration in sssd is not working and we could use some help.
Server is a RHEL 8 set up using ipa-server-install and data migrated from OpenLDAP using ipa migrate-ds.
Client is a Fedora 32 set up using ipa-client-install.
User lookup works fine, but trying to authenticate gives us this:
May 22 15:11:26 samuel.lkpg.cendio.se sshd[3213]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=ossman May 22 15:11:26 samuel.lkpg.cendio.se sshd[3213]: pam_sss(sshd:auth): received for user ossman: 17 (Failure setting user credentials)
Nothing in the journal from sssd or in its own log files when this happens.
Turning up the logging to 6 gives me a lot more, among it this:
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [CENDIO.SE] (Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [get_and_save_tgt] (0x0020): 1704: [-1765328174][Generic preauthentication failure] (Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [map_krb5_error] (0x0020): [1432158222][Failure setting user credentials]. (Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [k5c_send_data] (0x0200): Received error code 1432158222
Red Hat's documentation suggest an error called "key type is not supported" should be given, so is this perhaps the issue?
Not sure where to continue here. I've checked the ldap entries an they lack "krbprincipalkey" but have "userpassword", which I understand is correct for my situation.
Regards
On 22/05/2020 16:20, Pierre Ossman via FreeIPA-users wrote:
Hi,
We're in the process of migrating from an OpenLDAP server to FreeIPA. As such the issue of password migration of course shows up. Unfortunately the automatic migration in sssd is not working and we could use some help.
Managed to find it on my own in this thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
TL;DR: migration mode needs to be enabled on the IPA server
It isn't 100% clear what other effects this has though. What risks are we exposing ourselves to in this mode? How much of a rush should we be in to get everyone migrated?
Regards
On Fri, May 22, 2020 at 04:36:15PM +0200, Pierre Ossman via FreeIPA-users wrote:
On 22/05/2020 16:20, Pierre Ossman via FreeIPA-users wrote:
Hi,
We're in the process of migrating from an OpenLDAP server to FreeIPA. As such the issue of password migration of course shows up. Unfortunately the automatic migration in sssd is not working and we could use some help.
Managed to find it on my own in this thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
TL;DR: migration mode needs to be enabled on the IPA server
It isn't 100% clear what other effects this has though. What risks are we exposing ourselves to in this mode? How much of a rush should we be in to get everyone migrated?
Hi,
yes, migration mode has to be enabled until all users have logged in once.
If the migration mode is enabled SSSD will try LDAP authentication is Kerberos authentication fails with specific errors. During the LDAP bind the user password is send in clear text in a TLS tunnel. So it cannot be read from the network but the IPA server now knows the clear text password and can generate the needed Kerberos keys with the help of the clear text password after the LDAP bind was successful. Since the Kerberos keys are stored in the directory server as well a directory server plugin is handling this if migration mode is enabled. After the Kerberos keys are set for the given user the next time the user will log in Kerberos authentication is used.
HTH
bye, Sumit
Regards
Pierre Ossman Software Development Cendio AB https://cendio.com Teknikringen 8 https://twitter.com/ThinLinc 583 30 Linköping https://facebook.com/ThinLinc Phone: +46-13-214600
A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org