Hi Rob. It worked. Thanks. It was confusing for me the name *migrated *thinking was the new host rather than the *"old"* . Now users/groups are there and whoever has the password needs to connect to the new server in order to recreate their password with kerberos. I guess who has the ssh keys don't need to to that...right?
Now I need to migrate manually the hbac,sudo etc.... Thanks On Thu, Aug 16, 2018 at 4:00 PM Alfredo De Luca <alfredo.del...@gmail.com> wrote: > Thanks Rob. I ll give a try. > CHeers > > On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden <rcrit...@redhat.com> > wrote: > >> Alfredo De Luca via FreeIPA-users wrote: >> > Hi Florence. >> > But the example says ldap://*migrated*.freeipa.server.test >> > >> > so I ran the command from the actual server where I want migrate the >> > users from and pointing to the migrated (so the new which I will migrate >> > to) server... >> > So is it wrong? >> > So should I run the command instead fron the new ipa server pointing to >> > the old server? >> >> The old server. You have been trying to migrate the server to itself. >> >> rob >> >> > >> > >> > >> > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud <f...@redhat.com >> > <mailto:f...@redhat.com>> wrote: >> > >> > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote: >> > > The IP is the new server where I'd like to migrate all the >> > user/groups >> > > to and it should be ok. >> > > The migrate-ds is the default I copy from the freeipa.org >> > <http://freeipa.org> >> > > <http://freeipa.org> migration section.. >> > > >> > Hi, >> > >> > the ldap URI should point to the server where the users are >> currently >> > defined (=the FROM server). >> > >> > Hope this clarifies, >> > flo >> > > >> > > >> > > >> > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden >> > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> >> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: >> > > >> > > Alfredo De Luca via FreeIPA-users wrote: >> > > > Hi Rob. >> > > > Yes. I am following the link you sent. So now I can >> understand >> > > they need >> > > > to create the new Kerberos but given the command I should >> have >> > > seen all >> > > > the users in the new freeipa server... which are not there. >> > > > Maybe I put a wrong command? (below) >> > > > >> > > > ipa migrate-ds --bind-dn="cn=Directory Manager" >> > > > --user-container=cn=users,cn=accounts --group-overwrite-gid >> > > > --group-container=cn=groups,cn=accounts >> > > --group-objectclass=posixgroup >> > > > >> > > >> > >> >> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} >> > > > --user-ignore-objectclass=mepOriginEntry --with-compat >> > > > ldap://192.168.20.177:389 <http://192.168.20.177:389> >> > <http://192.168.20.177:389> >> > > <http://192.168.20.177:389> >> > > > >> > > > Password: >> > > > ----------- >> > > > migrate-ds: >> > > > ----------- >> > > > Migrated: >> > > > group: admins, editors >> > > > Failed user: >> > > > admin: This entry already exists >> > > > Failed group: >> > > > ---------- >> > > > Passwords have been migrated in pre-hashed format. >> > > > IPA is unable to generate Kerberos keys unless provided >> > > > with clear text passwords. All migrated users need to >> > > > login at https://your.domain/ipa/migration/ before they >> > > > can use their Kerberos accounts. >> > > >> > > It isn't finding any of your users. Are you sure that IP >> > address points >> > > to your existing IPA instance? >> > > >> > > rob >> > > >> > > >> > > >> > > -- >> > > /Alfredo/ >> > > >> > > >> > > >> > > _______________________________________________ >> > > FreeIPA-users mailing list -- >> freeipa-users@lists.fedorahosted.org >> > <mailto:freeipa-users@lists.fedorahosted.org> >> > > To unsubscribe send an email to >> > freeipa-users-le...@lists.fedorahosted.org >> > <mailto:freeipa-users-le...@lists.fedorahosted.org> >> > > Fedora Code of Conduct: >> https://getfedora.org/code-of-conduct.html >> > > List Guidelines: >> > https://fedoraproject.org/wiki/Mailing_list_guidelines >> > > List Archives: >> > >> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N3LK45PLAZOV3SA2TRNI6SYQKTNQQPF3/ >> > > >> > >> > >> > >> > -- >> > /Alfredo/ >> > >> > >> > >> > _______________________________________________ >> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> > To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VPSB6HPG4J3ZGJHOPA3IQTRJ56GGS4ZR/ >> > >> >> > > -- > *Alfredo* > > -- *Alfredo*
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KI32QFU4SCN3CKBP6ZODISPLPLFYW3S2/
