Learn more about these different git repos.
Other Git URLs
SSSD version: ============= [root@f18-ipa-master ~]# rpm -q sssd sssd-1.9.92-0.20130408T2147Zgita28391f.fc18.x86_64 [root@f18-ipa-master ~]# Steps followed : ================ (1)Enabled migration on IPA server [root@f18-ipa-master ds-migration-functional]# ipa config-mod --enable-migration TRUE Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: TRUE Certificate Subject base: O=TESTRELM.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE [root@f18-ipa-master ds-migration-functional]# (2)Performed Migratation [root@f18-ipa-master ds-migration-functional]# ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://f18-ipa-client1.testrelm.com:389 Password: ----------- migrate-ds: ----------- Migrated: user: puser1, puser2 group: group1, group2 Failed user: Failed group: accounting managers: This entry already exists hr managers: This entry already exists pd managers: This entry already exists qa managers: This entry already exists ---------- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. [root@f18-ipa-master ds-migration-functional]# ipa user-show --all puser1|grep "Kerberos keys available" Kerberos keys available: False [root@f18-ipa-master ds-migration-functional]# (3)Using sssd for password migration [root@f18-ipa-master ds-migration-functional]# ssh -q -o StrictHostKeyChecking=no -l puser1 f18-ipa-master.testrelm.com puser1@f18-ipa-master.testrelm.com's password: puser1@f18-ipa-master.testrelm.com's password: puser1@f18-ipa-master.testrelm.com's password: [root@f18-ipa-master ds-migration-functional]# Actual Result: Password migration is not successful Expected Result: Password migration should be succesful Please find the attached sssd_domain.log, krb5_child.log and var_log_secure.log
sssd domain log file sssd_domain.log
krb5_child log file krb5_child.log
/var/log/secure log file var_log_secure.log
As far as I can tell this is a regression caused by the new krb5 error codes. We need to handle the error code that says that no credentials are available gracefully in ipa auth code and try migration (if enabled on the server).
Fields changed
[root@f18-ipa-master ~]# rpm -q sssd sssd-1.9.92-0.20130408T2147Zgita28391f.fc18.x86_64 [root@f18-ipa-master ~]#
(1)Enabled migration on IPA server
[root@f18-ipa-master ds-migration-functional]# ipa config-mod --enable-migration TRUE Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: TRUE Certificate Subject base: O=TESTRELM.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE [root@f18-ipa-master ds-migration-functional]#
(2)Performed Migratation
[root@f18-ipa-master ds-migration-functional]# ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" --with-compat ldap://f18-ipa-client1.testrelm.com:389 Password:
Migrated: user: puser1, puser2 group: group1, group2 Failed user: Failed group: accounting managers: This entry already exists hr managers: This entry already exists pd managers: This entry already exists qa managers: This entry already exists
Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. [root@f18-ipa-master ds-migration-functional]# ipa user-show --all puser1|grep "Kerberos keys available" Kerberos keys available: False [root@f18-ipa-master ds-migration-functional]#
(3)Using sssd for password migration
[root@f18-ipa-master ds-migration-functional]# ssh -q -o StrictHostKeyChecking=no -l puser1 f18-ipa-master.testrelm.com puser1@f18-ipa-master.testrelm.com's password: puser1@f18-ipa-master.testrelm.com's password: puser1@f18-ipa-master.testrelm.com's password: [root@f18-ipa-master ds-migration-functional]#
Actual Result: Password migration is not successful
Expected Result: Password migration should be succesful
Please find the attached sssd_domain.log, krb5_child.log and var_log_secure.log
=> {{{
}}} milestone: NEEDS_TRIAGE => SSSD 1.10.0 rhbz: => 0
This is a regression, setting the severity as appropriate.
priority: major => blocker
owner: somebody => lslebodn
I found the commit c6872e7 which caused this regression.
patch: 0 => 1 status: new => assigned
changelog: => owner: lslebodn => okos status: assigned => new
status: new => assigned
resolution: => fixed status: assigned => closed
Metadata Update from @ksiddiqu: - Issue assigned to okos - Issue set to the milestone: SSSD 1.10.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2915
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.