Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1075621

Summary: Add another Kerberos error code to trigger IPA password migration
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: dpal, grajaiya, jgalipea, jhrozek, lslebodn, mkosek, nsoman, pbrezina, preichl, sbose
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.11.2-59.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:07:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2014-03-12 13:26:39 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2279

With MIT Kerberos 1.11 and above kinit for migrated IPA users without Kerberos keys returns KRB5_PROG_ETYPE_NOSUPP. The code should be added to the list of code which trigger the IPA password migration.
Comment 1 Namita Soman 2014-03-12 16:41:54 UTC 
Please add steps to verify
Comment 2 Jakub Hrozek 2014-03-12 17:39:24 UTC 
(In reply to Namita Soman from comment #1)
> Please add steps to verify

Use the migrate-ds script on a RHEL6 IPA server to migrate some LDAP users.

Then attempt client side migration with a RHEL7 client. The client side migration would fail with unpatches packages and succeed with patched packages.
Comment 4 Namita Soman 2014-03-14 18:35:56 UTC 
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.5 (Santiago)

installed directory server here with users (version used - 389-ds-base-1.2.11.15-29.el6.x86_64)

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.0 Beta (Maipo)

Installed ipa server here (version used ipa-server-3.3.3-25.el7.x86_64, krb5-libs-1.11.3-49.el7.x86_64, sssd-1.11.2-58.el7.x86_64)

on ipa-server, ran:
# ipa migrate-ds --user-container="ou=people," --group-container="ou=groups" --exclude-users=puser2 ldap://ipaqavme.testrelm.test:389


Added 2 ldap users:
# ipa user-find
---------------
3 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1085400000
  GID: 1085400000
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: philomena_hazen
  First name: Philomena
  Last name: Hazen
  Home directory: /home/Philomena_Hazen
  Login shell: /bin/sh
  Email address: Philomena_Hazen
  UID: 18795
  GID: 28795
  Telephone Number: +1 206 660-3641
  Job Title: Senior Human Resources Accountant
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: puser1
  Last name: User1
  Home directory: /home/puser1
  Login shell: /bin/bash
  UID: 1001
  GID: 1001
  Account disabled: False
  Password: True
  Kerberos keys available: True
----------------------------
Number of entries returned 3
----------------------------

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.0 Beta (Maipo)

Installed ipa-client here (Version used sssd-1.11.2-50.el7.x86_64, ipa-client-3.3.3-19.el7.x86_64, krb5-libs-1.11.3-47.el7.x86_64)

Then kinit'd as one of the ldap user:
# kinit puser1
Password for puser1: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: puser1

Valid starting       Expires              Service principal
03/14/2014 14:25:00  03/15/2014 14:25:00  krbtgt/TESTRELM.TEST

Actual result: was able to login
Expected result: was expecting login to fail, and then would test with updated sssd to be able to login successfully
Comment 5 Namita Soman 2014-03-14 18:37:56 UTC 
needinfo ques: please review my steps, and let me know what am i missing
Comment 6 Jakub Hrozek 2014-03-16 20:49:54 UTC 
(In reply to Namita Soman from comment #5)
> needinfo ques: please review my steps, and let me know what am i missing

Sumit, was there any particular version of a package Namita might be missing?
Comment 7 Sumit Bose 2014-03-17 07:58:14 UTC 
First, this issue can only be seen with a RHEL6 IPA server and the RHEL7 client (see Jakubs's comment #2 as well) where the user logs in for the first time.

Second, it looks your test is not suitable to test the password migration, because for some reason the Kerberos password is already available after migrating the user 'Kerberos keys available: True'. Do you have the Kerberos key attributes already set on the original DS instance? If yes, please remove them before calling ipa-migrate-ds to test the password migration.
Comment 8 Namita Soman 2014-03-19 13:35:20 UTC 
Verified using sssd-1.11.2-60.el7.x86_64

Steps taken:
# yum -y install openldap-servers openldap-clients

# slappasswd -h {SHA} -s Secret123
{SHA}FWFILBKSIiSW05u0PrYWGRhKUck=

Used ds-migration test suite, added user to installds.sh:
dn: uid=puser14,ou=People,dc=example,dc=com
passwordGraceUserTime: 0
modifiersName: cn=directory manager
uidNumber: 1014
gidNumber: 1014
objectClass: top
objectClass: person
objectClass: posixAccount
uid: puser14
cn: Posix User14
sn: User11
homeDirectory: /home/puser14
loginshell: /bin/bash
userPassword: {SHA}FWFILBKSIiSW05u0PrYWGRhKUck=
creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
nsUniqueId: 42598c8a-1dd211b2-8f88fe1c-fcc30000

On 6.5 server:
# ipa config-mod --enable-migration true

# ipa-compat-manage disable

# ipa migrate-ds --user-container="ou=people" --group-container="ou=groups" ldap://nu5.testrelm.com:389
Password: 
-----------
migrate-ds:
-----------
Migrated:
  user: puser14, puser1, puser2, philomena_hazen
  group: accounting managers, hr managers, qa managers, pd managers, group1, group2
Failed user:
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.


puser14 was migrated and does not have krbPrincipalKey
# ipa user-show puser14
  User login: puser14
  Last name: User11
  Home directory: /home/puser14
  Login shell: /bin/bash
  UID: 1014
  GID: 1014
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: False

# ldapsearch -x -h `hostname` -p 389 -D "cn=Directory Manager" -w Secret123 -b "uid=puser14,cn=users,cn=accounts,dc=testrelm,dc=com"
# extended LDIF
#
# LDAPv3
# base <uid=puser14,cn=users,cn=accounts,dc=testrelm,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# puser14, users, accounts, testrelm.com
dn: uid=puser14,cn=users,cn=accounts,dc=testrelm,dc=com
cn: Posix User14
uid: puser14
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: organizationalperson
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: person
objectClass: inetuser
objectClass: krbprincipalaux
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
loginShell: /bin/bash
sn: User11
uidNumber: 1014
gidNumber: 1014
homeDirectory: /home/puser14
krbPrincipalName: puser14
userPassword:: e1NIQX1GV0ZJTEJLU0lpU1cwNXUwUHJZV0dSaEtVY2s9
ipaUniqueID: aefef952-af67-11e3-a03f-001a644ea226
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


From client using sssd-1.11.2-50.el7.x86_64:
# ssh -l puser14 client.testrelm.com
ssh_exchange_identification: Connection closed by remote host

From client using sssd-1.11.2-60.el7.x86_64:
# ssh -l puser14 nocp12.testrelm.com
puser14.com's password: 
<snip...logged in successfully>
Comment 9 Ludek Smid 2014-06-13 10:07:37 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.