On ma, 14 joulu 2020, lejeczek via FreeIPA-users wrote:
Hi guys,
I must be missing something I hope. This should just work, right?
$ ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--with-compat ldap://10.0.0.6
Prior to above, on the target IPA I run:
$ ipa-adtrust-install
Source IPA is: VERSION: 4.6.8, API_VERSION: 2.237
Target is: VERSION: 4.8.7, API_VERSION: 2.239
$ smbclient -L //love.ccn.mine.domain -Ume
lp_load_ex: changing to config backend registry
Unknown parameter encountered: "includes"
Enter CCN\me's password:
session setup failed: NT_STATUS_INVALID_SID
Any suggestions as what is (not but should)happening are greatly
appreciated.
Your migrated user accounts contain ipaNTSecurityIdentifier pointing to
older IPA's domain SID which is different from your new IPA's domain
SID.
Why do you need to migrate this way instead of adding a new replica and
then moving all services to it and decommissioning old 4.6 replicas?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland