My first time posting. I didn't realize I needed to reply-all to include the group. Oops!
---------- Forwarded message ---------- From: Joanna Delaporte <joannadelapo...@gmail.com> Date: Thu, Jun 30, 2016 at 10:21 AM Subject: Re: [Freeipa-users] How to migrate users with md5 and sha512 passwords To: Rob Crittenden <rcrit...@redhat.com> Hi Rob, Thanks for the clarification on the migration being able to handle standard crypt passwords of the standard hash types. I seem to have one user that worked and one that didn't. I'm migrating about 4000 users, but I only have two users' passwords to test. The password that hasn't worked is about 20 chars long in cleartext. Do you know if there is a character length limit for the passwords? Today I'll be deleting and re-adding those two users a few times while I try to figure out what I am missing. What is the best way to make sure the client has an updated password accessible to sssd? I looked through the RHEL 7 Domain Identity, Auth, and Policy Guide and didn't find a recommended procedure for refreshing sssd cache. Should I restart the sssd service on the IPA client when I delete/readd a user with a crypt password? I do have sshd set with ChallengeResponseAuthentication yes. Thanks! Joanna On Thu, Jun 30, 2016 at 8:16 AM, Rob Crittenden <rcrit...@redhat.com> wrote: > Joanna Delaporte wrote: > >> I am migrating an NIS domain to IPA. I have attempted to follow the >> instructions >> <http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords> >> for >> NIS account crypted password migration, but I haven't yet successfully >> used password authentication to log in to remote machines. >> >> The instructions expect I would migrate DES-encrypted passwords, but I >> have a mixture of md5 and sha512-encrypted passwords. Do I need to >> follow a different process, or am I chasing the wrong problem? >> >> This is my first IPA realm. >> > > If you have crypt-compatible passwords ($6$<huge string>) then just pass > it in as {crypt}$6$... and it should work fine. > > You can ONLY set a pre-hashed password in migration mode AND when adding > the user. You can't add the user then set a hashed password. > > rob > > -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com -- Joanna Delaporte Linux Systems Administrator | Parkland College joannadelapo...@gmail.com
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project