Bug 769675

Summary: DS --> IPA Migration of clear text passwords migrates passwords as expired and keytab true
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: doc-Identity_Management_GuideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.2CC: dpal, jskeoch, mkosek
Target Milestone: rcKeywords: Documentation
Target Release: 6.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-21 23:12:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jenny Severance 2011-12-21 17:19:43 UTC 
Description of problem:

When migrating users from 389 directory server to IPA, if the passwords are cleartext, they are migrated set to expired and the keytab is set to True::

  dn: uid=puser1,cn=users,cn=accounts,dc=testrelm
  User login: puser1
  Last name: User1
  Full name: Posix User1
  Home directory: /home/puser1
  Login shell: /bin/bash
  Kerberos principal: puser1@TESTRELM
  UID: 1001
  GID: 1001
  Account disabled: False
  Keytab: True  <====================================
  Password: True
  Member of groups: ipausers
  ipauniqueid: 84674e42-2be8-11e1-93d7-525400bf3811
  krbextradata: AAgBAA==, AAJB+/FOcm9vdC9hZG1pbkBURVNUUkVMTQA=
  krblastpwdchange: 20111221152905Z    <================= (time of migration)   
  krbpasswordexpiration: 20111221152905Z  <===============  (expired)
  mepmanagedentry: cn=puser1,cn=groups,cn=accounts,dc=testrelm
  objectclass: krbticketpolicyaux, ipaobject, organizationalperson, top, inetorgperson, person, inetuser, krbprincipalaux, posixaccount, mepOriginEntry

Upon attempt to migrate password, user is prompted to change password and then has to authentcate again


If passwords are hashed, the password is not set to expired and the transition is seamless via SSSD and the migration HTML page ::

# ipa user-show --all puser1
  dn: uid=puser1,cn=users,cn=accounts,dc=testrelm
  User login: puser1
  Last name: User1
  Full name: Posix User1
  Home directory: /home/puser1
  Login shell: /bin/bash
  Kerberos principal: puser1@TESTRELM
  UID: 1001
  GID: 1001
  Account disabled: False
  Keytab: False
  Password: True
  Member of groups: ipausers
  ipauniqueid: 459c43fc-2bed-11e1-9b2f-525400bf3811
  mepmanagedentry: cn=puser1,cn=groups,cn=accounts,dc=testrelm
  objectclass: krbticketpolicyaux, ipaobject, organizationalperson, top, inetorgperson, person, inetuser, krbprincipalaux, posixaccount, mepOriginEntry


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1.  set directory server instance for clear text passwords

# change password scheme
echo "dn: cn=config" > $PWDSCHEME
echo "changetype: modify" >> $PWDSCHEME
echo "replace: passwordstoragescheme" >> $PWDSCHEME
echo "passwordstoragescheme: clear" >> $PWDSCHEME

cat $PWDSCHEME

/usr/bin/ldapmodify -a -x -h $HOSTNAME -p $LDAPPORT -D "cn=Directory Manager" -w $ADMINPW -c -f $PWDSCHEME

2. add user 

        cat > instance1.ldif << instance1.ldif_EOF

version: 1

# entry-id: 10
dn: uid=puser1,ou=People,dc=example,dc=com
modifiersName: cn=directory manager
uidNumber: 1001
gidNumber: 1001
objectClass: top
objectClass: person
objectClass: posixAccount
uid: puser1
cn: Posix User1
sn: User1
homeDirectory: /home/puser1
loginshell: /bin/bash
userPassword: fo0m4nchU
creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
nsUniqueId: 42598c8a-1dd211b2-8f88fe1c-fcc30000
instance1.ldif_EOF

/usr/bin/ldapmodify -a -x -h $HOSTNAME -p 389 -D "cn=Directory Manager" -w $ADMINPW -c -f instance1.ldif" 0

3.  enable migration on ipa server
  ipa config-mod --enable-migration=TRUE

4.  migrate user
  ipa migrate-ds --user-container="ou=People" --group-container="ou=groups" ldap://389ds.testrelm:389

5.  attempt ssh from enrolled ipa machine (or ipa server)
  ssh puser1
  
  
Actual results:


Expected results:


Additional info:

Example User from source 389 directory server ::


dn: uid=puser1,ou=People,dc=example,dc=com
uidNumber: 1001
gidNumber: 1001
objectClass: top
objectClass: person
objectClass: posixAccount
uid: puser1
cn: Posix User1
sn: User1
homeDirectory: /home/puser1
loginShell: /bin/bash
userPassword:: Zm8wbTRuY2hV


ldapsearch -x -D "cn=Directory Manager" -w Secret123 -b "cn=config" | grep passwordStorageScheme

passwordStorageScheme: CLEAR
Comment 1 Rob Crittenden 2012-01-03 15:33:18 UTC 
I think that because the password is cleartext we go ahead and create the Kerberos principal (I'm guessing as a side-effect). It is marked as expired because it is considered a password reset.

I think we'll need a way to short-circuit the password reset marking code beyond the current exclusion list.
Comment 2 Dmitri Pal 2012-01-05 21:00:58 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2225
Comment 3 Dmitri Pal 2012-01-10 17:28:50 UTC 
We decided that this is the right behavior that should be documented.
Comment 7 Deon Ballard 2012-06-21 23:12:45 UTC 
Closing.