You might find some useful tips here:Not sure if they did drop their other scripts into github (as suggested two thirds down)RegardsAngusOn 17 August 2018 at 10:09, Alfredo De Luca via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:Hi Rob. It worked. Thanks.It was confusing for me the name migrated thinking was the new host rather than the "old" .Now users/groups are there and whoever has the password needs to connect to the new server in order to recreate their password with kerberos. I guess who has the ssh keys don't need to to that...right?Now I need to migrate manually the hbac,sudo etc....ThanksOn Thu, Aug 16, 2018 at 4:00 PM Alfredo De Luca <alfredo.deluca@gmail.com> wrote:Thanks Rob. I ll give a try.CHeersOn Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden <rcritten@redhat.com> wrote:Alfredo De Luca via FreeIPA-users wrote:
> Hi Florence.
> But the example says ldap://*migrated*.freeipa.server.test
>
> so I ran the command from the actual server where I want migrate the
> users from and pointing to the migrated (so the new which I will migrate
> to) server...
> So is it wrong?
> So should I run the command instead fron the new ipa server pointing to
> the old server?
The old server. You have been trying to migrate the server to itself.
rob
>
>
>
> On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud <flo@redhat.com
> <mailto:flo@redhat.com>> wrote:
>
> On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
> > The IP is the new server where I'd like to migrate all the
> user/groups
> > to and it should be ok.
> > The migrate-ds is the default I copy from the freeipa.org
> <http://freeipa.org>
> > <http://freeipa.org> migration section..
> >
> Hi,
>
> the ldap URI should point to the server where the users are currently
> defined (=the FROM server).
>
> Hope this clarifies,
> flo
> >
> >
> >
> > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
> >
> > Alfredo De Luca via FreeIPA-users wrote:
> > > Hi Rob.
> > > Yes. I am following the link you sent. So now I can understand
> > they need
> > > to create the new Kerberos but given the command I should have
> > seen all
> > > the users in the new freeipa server... which are not there.
> > > Maybe I put a wrong command? (below)
> > >
> > > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > > --user-container=cn=users,cn=accounts --group-overwrite-gid
> > > --group-container=cn=groups,cn=accounts
> > --group-objectclass=posixgroup
> > >
> >
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > > --user-ignore-objectclass=mepOriginEntry --with-compat
> > > ldap://192.168.20.177:389 <http://192.168.20.177:389>
> <http://192.168.20.177:389>
> > <http://192.168.20.177:389>
> > >
> > > Password:
> > > -----------
> > > migrate-ds:
> > > -----------
> > > Migrated:
> > > group: admins, editors
> > > Failed user:
> > > admin: This entry already exists
> > > Failed group:
> > > ----------
> > > Passwords have been migrated in pre-hashed format.
> > > IPA is unable to generate Kerberos keys unless provided
> > > with clear text passwords. All migrated users need to
> > > login at https://your.domain/ipa/migration/ before they
> > > can use their Kerberos accounts.
> >
> > It isn't finding any of your users. Are you sure that IP
> address points
> > to your existing IPA instance?
> >
> > rob
> >
> >
> >
> > --
> > /Alfredo/
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N3LK45PLAZOV3SA2TRNI6SYQKTNQQPF3/
> >
>
>
>
> --
> /Alfredo/
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VPSB6HPG4J3ZGJHOPA3IQTRJ56GGS4ZR/
>
--Alfredo--Alfredo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KI32QFU4SCN3CKBP6ZODISPLPLFYW3S2/