Hi Rob.
Yes. I am following the link you sent. So now I can understand they need to
create the new Kerberos but given the command I should have seen all the
users in the new freeipa server... which are not there.
Maybe I put a wrong command? (below)
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts --group-overwrite-gid
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
--user-ignore-objectclass=mepOriginEntry --with-compat ldap://
192.168.20.177:389
Password:
-----------
migrate-ds:
-----------
Migrated:
group: admins, editors
Failed user:
admin: This entry already exists
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at
https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
On Tue, Aug 14, 2018 at 5:01 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Alfredo De Luca via FreeIPA-users wrote:
> Hi Florence. Thanks again. I understand about the password hash... but
> does it mean all the users need to do that before migration? or after?
>
> Cause in the new ipa server can 't see any of the users/groups.
Then I assume the migration failed?
I believe there is a chapter in the RHEL docs on migration and it is
also mentioned at
https://www.freeipa.org/page/Howto/Migration
Users will need to re-authenticate themselves post-migration in order to
set their Kerberos credentials.
rob
--
*Alfredo*