I am deploying FreeIPA (RHEL IdM) for a client that wants to use it to replace NIS. To ensure user convenience we want to migrate user accounts from the NIS map including (hashed) passwords.

We have followed the FreeIPA guide for migration with passwords (as well as the Red Hat NIS migration guide) to develop migration scripts that import the required maps.


Everything is working fine, except the importing of hashed passwords. As the guide specifies, the import script creates a new user by calling the following:


ipa user-add $username --first=NIS --last=USER […more arguments…] --setattr userpassword=$password


In this context, $password is the hashed password from the NIS passwd map (which is hashed with DEScrypt) with the {crypt}-prefix as required by 389-DS, as below.


encpass=$(echo $line | cut -f2 -d:)



Subsequently, we try to finalize account migration by accessing the migration page https://ipa.clientdomain.loc/ipa/migration as well as attempting to connect to an onboarded host’s SSH, but the credentials seem to fail (ergo no Kerberos hash can be generated).

The ssh auth log throws the below log message, the IPA migration page fails with an “incorrect username or password” message.


                pam_sss(sshd:auth): received for user testvry: 8 (Insufficient credentials to access authentication data)


We have performed this procedure with test users as well as actual users from the NIS map to no avail. We have also tried all variants of password quoting, capitalizing, etc. Do you have any idea what might be going wrong here?


Thanks a lot in advance!


Best regards,

Cas van Cooten

This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte:
Deloitte Risk Advisory B.V is registered with the trade register in The Netherlands under number 50340158.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html for a more detailed description of DTTL and its member firms.