9:20 a.m.
Hi,
We're in the process of migrating from an OpenLDAP server to FreeIPA. As
such the issue of password migration of course shows up. Unfortunately
the automatic migration in sssd is not working and we could use some help.
Server is a RHEL 8 set up using ipa-server-install and data migrated
from OpenLDAP using ipa migrate-ds.
Client is a Fedora 32 set up using ipa-client-install.
User lookup works fine, but trying to authenticate gives us this:
May 22 15:11:26 samuel.lkpg.cendio.se sshd[3213]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=ossman
May 22 15:11:26 samuel.lkpg.cendio.se sshd[3213]: pam_sss(sshd:auth): received for user
ossman: 17 (Failure setting user credentials)
Nothing in the journal from sssd or in its own log files when this happens.
Turning up the logging to 6 gives me a lot more, among it this:
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]]
[get_and_save_tgt] (0x0400): Attempting kinit for realm [CENDIO.SE]
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [get_and_save_tgt] (0x0020): 1704:
[-1765328174][Generic preauthentication failure]
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [map_krb5_error] (0x0020):
[1432158222][Failure setting user credentials].
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [k5c_send_data] (0x0200): Received
error code 1432158222
Red Hat's documentation suggest an error called "key type is not
supported" should be given, so is this perhaps the issue?
Not sure where to continue here. I've checked the ldap entries an they
lack "krbprincipalkey" but have "userpassword", which I understand is
correct for my situation.
Regards
--
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
9:36 a.m.
On 22/05/2020 16:20, Pierre Ossman via FreeIPA-users wrote:
Hi,
We're in the process of migrating from an OpenLDAP server to FreeIPA. As
such the issue of password migration of course shows up. Unfortunately
the automatic migration in sssd is not working and we could use some help.
Managed to find it on my own in this thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
TL;DR: migration mode needs to be enabled on the IPA server
It isn't 100% clear what other effects this has though. What risks are
we exposing ourselves to in this mode? How much of a rush should we be
in to get everyone migrated?
Regards
--
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
1:51 p.m.
On Fri, May 22, 2020 at 04:36:15PM +0200, Pierre Ossman via FreeIPA-users wrote:
On 22/05/2020 16:20, Pierre Ossman via FreeIPA-users wrote:
> Hi,
>
> We're in the process of migrating from an OpenLDAP server to FreeIPA. As
> such the issue of password migration of course shows up. Unfortunately
> the automatic migration in sssd is not working and we could use some
> help.
>
Managed to find it on my own in this thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
TL;DR: migration mode needs to be enabled on the IPA server
It isn't 100% clear what other effects this has though. What risks are we
exposing ourselves to in this mode? How much of a rush should we be in to
get everyone migrated?
Hi,
yes, migration mode has to be enabled until all users have logged in
once.
If the migration mode is enabled SSSD will try LDAP authentication is
Kerberos authentication fails with specific errors. During the LDAP bind
the user password is send in clear text in a TLS tunnel. So it cannot be
read from the network but the IPA server now knows the clear text
password and can generate the needed Kerberos keys with the help of the
clear text password after the LDAP bind was successful. Since the
Kerberos keys are stored in the directory server as well a directory
server plugin is handling this if migration mode is enabled. After the
Kerberos keys are set for the given user the next time the user will log
in Kerberos authentication is used.
HTH
bye,
Sumit
Regards
--
Pierre Ossman Software Development
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1434
days inactive
1434
days old
freeipa-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Pierre Ossman -
Sumit Bose