[Freeipa-users] Re: Migration from NIS, hashed passwords, "Pre-authentication failed: Invalid argument while getting initial credentials"

Sat, 18 Dec 2021 03:03:17 -0800 

On la, 18 joulu 2021, Simon Matthews via FreeIPA-users wrote:

Thanks for the help.

Unfortunately, I must have missed something: the password that I set
with "setattr userpassword=<>" is not accepted.

I set up another VM, configured it using the ipa-client-install script,
and I can do "su <username>" on the client, but both a ssh login of a
"passwd" command fails on the password.

Should I have configured my ipa server to also be a NIS server for the
transition? I see that the server has a yp.conf files that appear to
have been configured when I configured the ipa server and client.


You are importing your users and passwords from non-LDAP to LDAP, so
there is no need to setup and use NIS anymore. IPA NIS server emulation
also does not support exposing shadow map so auth via NIS will not work.

Looking at the 389-ds code, I think you should be using {crypt} prefix
instead of {sha512}. SHA512 passwords stored differently to how UNIX
CRYPT is done. See RHDS documentation for details, for example,
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/deployment_guide/designing_a_secure_directory-designing_a_password_policy#Password_Policy_Attributes-Password_Storage_Scheme

This is also described in 
https://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
-------
NOTE: Use {crypt} for any password taken from an NIS dump or /etc/shadow. It 
defines the password storage scheme that crypt(3) uses.
-------

Remove the test user and create it again, using --setattr
userpassword={crypt}<hash-from-NIS>.
Then just try 
  ldapwhoami -Z -H ldap://ipa.server \
     -D uid=<username>,cn=users,cn=accounts,dc=example,dc=test \
-W 
This should output the same DN as in -D in the case of success and
should be enough to verify that authentication is working.

If it is not, then either your password hash is incorrect for 389-ds or
entered password is incorrect.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to