Hi,
We're in the process of migrating from an OpenLDAP server to FreeIPA. As
such the issue of password migration of course shows up. Unfortunately
the automatic migration in sssd is not working and we could use some help.
Server is a RHEL 8 set up using ipa-server-install and data migrated
from OpenLDAP using ipa migrate-ds.
Client is a Fedora 32 set up using ipa-client-install.
User lookup works fine, but trying to authenticate gives us this:
May 22 15:11:26 samuel.lkpg.cendio.se sshd[3213]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=ossman
May 22 15:11:26 samuel.lkpg.cendio.se sshd[3213]: pam_sss(sshd:auth): received for user
ossman: 17 (Failure setting user credentials)
Nothing in the journal from sssd or in its own log files when this happens.
Turning up the logging to 6 gives me a lot more, among it this:
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]]
[get_and_save_tgt] (0x0400): Attempting kinit for realm [CENDIO.SE]
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [get_and_save_tgt] (0x0020): 1704:
[-1765328174][Generic preauthentication failure]
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [map_krb5_error] (0x0020):
[1432158222][Failure setting user credentials].
(Fri May 22 15:12:45 2020) [[sssd[krb5_child[3262]]]] [k5c_send_data] (0x0200): Received
error code 1432158222
Red Hat's documentation suggest an error called "key type is not
supported" should be given, so is this perhaps the issue?
Not sure where to continue here. I've checked the ldap entries an they
lack "krbprincipalkey" but have "userpassword", which I understand is
correct for my situation.
Regards
--
Pierre Ossman Software Development
Cendio AB
https://cendio.com
Teknikringen 8
https://twitter.com/ThinLinc
583 30 Linköping
https://facebook.com/ThinLinc
Phone: +46-13-214600
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?