Hi Florence.
I created an new IPA server and tried to migrate but I got the following ...
*Passwords have been migrated in pre-hashed format.*
*IPA is unable to generate Kerberos keys unless provided*
*with clear text passwords. All migrated users need to*
*login at
https://your.domain/ipa/migration/ before they*
*can use their Kerberos accounts.*
Hi,
this is expected as detailed in [1]. All the users need to authenticate
to this web page in order to fill in their Kerberos hash (it is not
possible to generate the hash from the encrypted user passwords that are
stored in the old IPA server). It does not require any password change.
Hope this clarifies,
flo
[1]
Alfredo
On Mon, Aug 13, 2018 at 2:04 PM Alfredo De Luca
<alfredo.deluca(a)gmail.com <mailto:alfredo.deluca@gmail.com>> wrote:
Thanks heaps Florence. Appreciated
Alfredo
On Mon, Aug 13, 2018 at 11:42 AM Florence Blanc-Renaud
<flo(a)redhat.com <mailto:flo@redhat.com>> wrote:
On 08/13/2018 11:17 AM, Alfredo De Luca via FreeIPA-users wrote:
> Hi Florence. yes this clarify my question. So or I will build
an new
> FreeIPA then manually add all the users/groups etc ... or
maybe import
> at least some users with some sort of ldap command?
>
Hi,
FreeIPA provides a tool to migrate users/groups: ipa migrate-ds,
see [1]
Note that other objects need to be migrated manually (sudo,
hbac, ...).
The procedure involves retrieving the objects with ldapsearch
into a
ldif file, editing the ldif to replace the basedn, and importing
to the
new server.
There are a few knowledge base articles related to this topic, for
instance Migrating Your IDM Environment To a New Environment in
RHEL 7
[2]. You may also find additional information in the users
mailing list.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[2]
https://access.redhat.com/articles/2949931
> Cheers
>
>
> On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud
<flo(a)redhat.com <mailto:flo@redhat.com>
> <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote:
>
> On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users
wrote:
> > Hi all.
> > We'd like to change the domain name on our freeipa
(4.5.4 on centos
> > 7.5). Not the realm but only the domain....
> > is it doable?
> > If so... how?
> >
> Hi,
>
> unfortunately, no. Please have a look at IdM
documentation, section
> Host
> Name and DNS Configuration [1]. It contains a big warning:
> Note that the primary DNS domain and Kerberos realm
cannot be changed
> after the installation.
>
> Hope this clarifies,
> flo
>
> [1]
>
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>
> > Cheers
> >
> >
> > --
> > /Alfredo/
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> <mailto:freeipa-users-leave@lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>>
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
> >
>
>
>
> --
> /Alfredo/
>
>
>
> _______________________________________________
> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>
--
/Alfredo/
--
/Alfredo/