#1873 password migration is not working using sssd
Closed: Fixed None Opened 10 years ago by ksiddiqu.

SSSD version:
=============
[root@f18-ipa-master ~]# rpm -q sssd
sssd-1.9.92-0.20130408T2147Zgita28391f.fc18.x86_64
[root@f18-ipa-master ~]#

Steps followed :
================
(1)Enabled migration on IPA server

[root@f18-ipa-master ds-migration-functional]# ipa config-mod --enable-migration TRUE
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
[root@f18-ipa-master ds-migration-functional]#

(2)Performed Migratation

[root@f18-ipa-master ds-migration-functional]# ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://f18-ipa-client1.testrelm.com:389
Password: 
-----------
migrate-ds:
-----------
Migrated:
  user: puser1, puser2
  group: group1, group2
Failed user:
Failed group:
  accounting managers: This entry already exists
  hr managers: This entry already exists
  pd managers: This entry already exists
  qa managers: This entry already exists
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
[root@f18-ipa-master ds-migration-functional]# ipa user-show --all puser1|grep "Kerberos keys available"
  Kerberos keys available: False
[root@f18-ipa-master ds-migration-functional]#

(3)Using sssd for password migration

[root@f18-ipa-master ds-migration-functional]# ssh -q -o StrictHostKeyChecking=no -l puser1 f18-ipa-master.testrelm.com
puser1@f18-ipa-master.testrelm.com's password: 
puser1@f18-ipa-master.testrelm.com's password: 
puser1@f18-ipa-master.testrelm.com's password: 
[root@f18-ipa-master ds-migration-functional]#

Actual Result:
Password migration is not successful

Expected Result:
Password migration should be succesful

Please find the attached sssd_domain.log, krb5_child.log and var_log_secure.log

As far as I can tell this is a regression caused by the new krb5 error codes. We need to handle the error code that says that no credentials are available gracefully in ipa auth code and try migration (if enabled on the server).

Fields changed

description: SSSD version:

[root@f18-ipa-master ~]# rpm -q sssd
sssd-1.9.92-0.20130408T2147Zgita28391f.fc18.x86_64
[root@f18-ipa-master ~]#

Steps followed :

(1)Enabled migration on IPA server

[root@f18-ipa-master ds-migration-functional]# ipa config-mod --enable-migration TRUE
Maximum username length: 32
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain: testrelm.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: TRUE
Certificate Subject base: O=TESTRELM.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
[root@f18-ipa-master ds-migration-functional]#

(2)Performed Migratation

[root@f18-ipa-master ds-migration-functional]# ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://f18-ipa-client1.testrelm.com:389
Password:


migrate-ds:

Migrated:
user: puser1, puser2
group: group1, group2
Failed user:
Failed group:
accounting managers: This entry already exists
hr managers: This entry already exists
pd managers: This entry already exists
qa managers: This entry already exists


Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
[root@f18-ipa-master ds-migration-functional]# ipa user-show --all puser1|grep "Kerberos keys available"
Kerberos keys available: False
[root@f18-ipa-master ds-migration-functional]#

(3)Using sssd for password migration

[root@f18-ipa-master ds-migration-functional]# ssh -q -o StrictHostKeyChecking=no -l puser1 f18-ipa-master.testrelm.com
puser1@f18-ipa-master.testrelm.com's password:
puser1@f18-ipa-master.testrelm.com's password:
puser1@f18-ipa-master.testrelm.com's password:
[root@f18-ipa-master ds-migration-functional]#

Actual Result:
Password migration is not successful

Expected Result:
Password migration should be succesful

Please find the attached sssd_domain.log, krb5_child.log and var_log_secure.log

=> {{{

SSSD version:

[root@f18-ipa-master ~]# rpm -q sssd
sssd-1.9.92-0.20130408T2147Zgita28391f.fc18.x86_64
[root@f18-ipa-master ~]#

Steps followed :

(1)Enabled migration on IPA server

[root@f18-ipa-master ds-migration-functional]# ipa config-mod --enable-migration TRUE
Maximum username length: 32
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain: testrelm.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: TRUE
Certificate Subject base: O=TESTRELM.COM
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
[root@f18-ipa-master ds-migration-functional]#

(2)Performed Migratation

[root@f18-ipa-master ds-migration-functional]# ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://f18-ipa-client1.testrelm.com:389
Password:


migrate-ds:

Migrated:
user: puser1, puser2
group: group1, group2
Failed user:
Failed group:
accounting managers: This entry already exists
hr managers: This entry already exists
pd managers: This entry already exists
qa managers: This entry already exists


Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
[root@f18-ipa-master ds-migration-functional]# ipa user-show --all puser1|grep "Kerberos keys available"
Kerberos keys available: False
[root@f18-ipa-master ds-migration-functional]#

(3)Using sssd for password migration

[root@f18-ipa-master ds-migration-functional]# ssh -q -o StrictHostKeyChecking=no -l puser1 f18-ipa-master.testrelm.com
puser1@f18-ipa-master.testrelm.com's password:
puser1@f18-ipa-master.testrelm.com's password:
puser1@f18-ipa-master.testrelm.com's password:
[root@f18-ipa-master ds-migration-functional]#

Actual Result:
Password migration is not successful

Expected Result:
Password migration should be succesful

Please find the attached sssd_domain.log, krb5_child.log and var_log_secure.log

}}}
milestone: NEEDS_TRIAGE => SSSD 1.10.0
rhbz: => 0

This is a regression, setting the severity as appropriate.

priority: major => blocker

Fields changed

owner: somebody => lslebodn

I found the commit c6872e7 which caused this regression.

Fields changed

patch: 0 => 1
status: new => assigned

Fields changed

changelog: =>
owner: lslebodn => okos
status: assigned => new

Fields changed

status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @ksiddiqu:
- Issue assigned to okos
- Issue set to the milestone: SSSD 1.10.0

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2915

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata