Hi,
We're in the process of migrating from an OpenLDAP server to FreeIPA. As such the issue of password migration of course shows up. Unfortunately the automatic migration in sssd is not working and we could use some help.
Server is a RHEL 8 set up using ipa-server-install and data migrated from OpenLDAP using ipa migrate-ds.
Client is a Fedora 32 set up using ipa-client-install.
User lookup works fine, but trying to authenticate gives us this:
May 22 15:11:26 samuel.lkpg.cendio.se sshd[3213]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=ossman May 22 15:11:26 samuel.lkpg.cendio.se sshd[3213]: pam_sss(sshd:auth): received for user ossman: 17 (Failure setting user credentials)
Nothing in the journal from sssd or in its own log files when this happens.
Turning up the logging to 6 gives me a lot more, among it this:
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [CENDIO.SE] (Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [get_and_save_tgt] (0x0020): 1704: [-1765328174][Generic preauthentication failure] (Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [map_krb5_error] (0x0020): [1432158222][Failure setting user credentials]. (Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [k5c_send_data] (0x0200): Received error code 1432158222
Red Hat's documentation suggest an error called "key type is not supported" should be given, so is this perhaps the issue?
Not sure where to continue here. I've checked the ldap entries an they lack "krbprincipalkey" but have "userpassword", which I understand is correct for my situation.
Regards