ITreers UA via FreeIPA-users wrote:
Thank you for the reply.
As I understood from your reply it's not possible to migrate passwords without
"migration" procedure after the ipa migrate-ds?
During my test migrations from earlier (start of the last month) I have managed to
migrate and login with old passwords after the ipa migrate-ds.
I used docker image "#rocky-9" and until image was updated with the new OS
version or some security updates I don't know I have 2 or 3 successful attempt of the
migration of users with the passwords. I was able to login using kinit and web. How it
possible?
I think you are overusing the word migrate. After migrate-ds the users
only have an LDAP password at best. In order to generate Kerberos keys
they need to authenticate to LDAP while IPA is still in migration mode
(ipa config-mod --enable-migration).
Logging into an IPA-enrolled client will do this key generation
automatically if IPA is still in migration mode. Or, as Alexander said,
there is a web site for this as well.
If you turn off the IPA migration then you will need to reset users's
passwords so that keys can be generated.
rob