[Freeipa-users] Migration from NIS, hashed passwords, "Pre-authentication failed: Invalid argument while getting initial credentials"

Simon Matthews via FreeIPA-users Fri, 17 Dec 2021 11:16:49 -0800

Platform is a fully-updated CentOS 7 instance. I have installed 
ipa-server-4.6.8-5.el7.centos.9.x86_64 and all the dependent packages.


The RedHat documentation tells you to use a script that sets all passwords to 
the same fixed string, however, I would like to use the hashed passwords from 
my NIS instance. The NIS server passwrod policy is set to "sha512". 

I have set:
 ipa config-mod --enable-migration=true

It appears that the RedHat build does not allow encrypted passwords with "ipa 
user-mod", but I am trying to set the password with "ipa user-add". However, 
whenever I do this, attempting to test the login results in: 
kinit: Pre-authentication failed: Invalid argument while getting initial 
credentials


 ipa user-add  blahblah --first=NIS --last=USER --setattr 
'userpassword={sha512}$6$WZktVggI$Rsmo.M31dUfgalp5e39a47FwjfdM5UA9UT1dwvKjrLJZVjh7SxG0g2SuDYOZmFM9mdGeTIz8KZpZukKouNQR1/'
 --uid=4444 --gid=444 --gecos='Blah' --homedir=/home/blah --shell=/bin/bash
---------------------
Added user "blahblah"
---------------------
  User login: blahblah
  First name: NIS
  Last name: USER
  Full name: NIS USER
  Display name: NIS USER
  Initials: NU
  Home directory: /home/blah
  GECOS: Blah
  Login shell: /bin/bash
  Principal name: blahb...@sj.bps
  Principal alias: blahb...@sj.bps
  Email address: blahb...@sj.bps
  UID: 4444
  GID: 444
  Password: True
  Member of groups: ipausers
  Kerberos keys available: False
[root@ipa1 ~]# kinit blahblah
kinit: Pre-authentication failed: Invalid argument while getting initial 
credentials

It doesn't seem to matter what I specify for "{crypt}": md5 or sha512, I get 
the same message. 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] Migration from NIS, hashed passwords, "Pre-authentication failed: Invalid argument while getting initial credentials"

Reply via email to