[Freeipa-users] Re: Migration from NIS, hashed passwords, "Pre-authentication failed: Invalid argument while getting initial credentials"

Fri, 17 Dec 2021 11:52:00 -0800 

On pe, 17 joulu 2021, Simon Matthews via FreeIPA-users wrote:

Platform is a fully-updated CentOS 7 instance. I have installed
ipa-server-4.6.8-5.el7.centos.9.x86_64 and all the dependent packages.

The RedHat documentation tells you to use a script that sets all
passwords to the same fixed string, however, I would like to use the
hashed passwords from my NIS instance. The NIS server passwrod policy
is set to "sha512".

I have set:
ipa config-mod --enable-migration=true

It appears that the RedHat build does not allow encrypted passwords
with "ipa user-mod", but I am trying to set the password with "ipa
user-add". However, whenever I do this, attempting to test the login
results in: kinit: Pre-authentication failed: Invalid argument while
getting initial credentials


That's correct. You have no Kerberos key associated with the entry, only
(some) LDAP password hash.

In order to obtain a kerberos ticket, KDC needs to have own encryption
keys for each user. During migration you don't have any until you'd
attempt to authenticate over LDAP with a plain-text password.

When migration mode is enabled, SSSD notices it and attempts to
authenticate to LDAP in case kinit fails. On LDAP authentication IPA
LDAP plugins handle this by generating Kerberos encryption keys for this
user account because now they have a plain-text password -- this happens
after the plain-text password was successfully authenticated against
existing LDAP password hash.

So you need to authenticate prior to be able to use Kerberos -- either
by doing a login through SSSD PAM services (ssh with password, for
example) or by directly doing LDAP authentication with a password.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to