I created another ipa server with fedora 39....
ipa-server-install --setup-dns --forwarder=8.8.8.8 -n dom.loc -r DOM.LOC --no-dnssec-validation -a pass -p pass ipa-migrate -v prod-mode ipa.dom.loc -w pass: ----------------------------------------------------- Connecting to local server ... ipaserver.install.ipa_migrate: INFO: ================================================================================ ipaserver.install.ipa_migrate: INFO: IPA to IPA migration starting ... ipaserver.install.ipa_migrate: INFO: Migration options: ipaserver.install.ipa_migrate: INFO: --mode=prod-mode ipaserver.install.ipa_migrate: INFO: --hostname=ipa.dom.loc ipaserver.install.ipa_migrate: INFO: --verbose=True ipaserver.install.ipa_migrate: INFO: --bind-dn=cn=directory manager ipaserver.install.ipa_migrate: INFO: --bind-pw-file=None ipaserver.install.ipa_migrate: INFO: --cacertfile=None ipaserver.install.ipa_migrate: INFO: --subtree=[] ipaserver.install.ipa_migrate: INFO: --log-file=/var/log/ipa-migrate.log ipaserver.install.ipa_migrate: INFO: --skip-schema=False ipaserver.install.ipa_migrate: INFO: --skip-config=False ipaserver.install.ipa_migrate: INFO: --migrate-dns=False ipaserver.install.ipa_migrate: INFO: --dryrun=False ipaserver.install.ipa_migrate: INFO: --dryrun-record=None ipaserver.install.ipa_migrate: INFO: --force=False ipaserver.install.ipa_migrate: INFO: --quiet=False ipaserver.install.ipa_migrate: INFO: --schema-overwrite=False ipaserver.install.ipa_migrate: INFO: --reset-range=False ipaserver.install.ipa_migrate: INFO: --db-ldif=None ipaserver.install.ipa_migrate: INFO: --schema-ldif=None ipaserver.install.ipa_migrate: INFO: --config-ldif=None ipaserver.install.ipa_migrate: INFO: --no-prompt=False ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f50455afd70> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.dom.loc conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f5043330f80> ipaserver.install.ipa_migrate: INFO: Found realm from remote server: DOM.LOC ipaserver.install.ipa_migrate: INFO: Migrating schema ... ipaserver.install.ipa_migrate: INFO: Getting schema from the remote server ... ipaserver.install.ipa_migrate: INFO: Retrieved 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrated 0 attributes and 0 objectClasses ipaserver.install.ipa_migrate: INFO: Skipped 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrating configuration ... ipaserver.install.ipa_migrate: INFO: Getting config from the remote server ... ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f50455afd70> ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-exclude-suffix' added: '{remote_vals}' under 'cn=Retro Changelog Plugin,cn=plugins,cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'dnaMaxValue' replaced '['1766399999']' with '1339499999' in 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'dnaNextValue' replaced '['1766200002']' with '1339400014' in 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'dnaNextValue', [b'1339400014']), (2, 'dnaMaxValue', [b'1339499999'])] ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-idlistscanlimit' replaced '['2147483646']' with '100000' in 'cn=config,cn=ldbm database,cn=plugins,cn=config' ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-import-cachesize' replaced '['16777216']' with '20000000' in 'cn=config,cn=ldbm database,cn=plugins,cn=config' ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'nsslapd-idlistscanlimit', [b'100000']), (1, 'nsslapd-import-cachesize', [b'16777216']), (0, 'nsslapd-import-cachesize', [b'20000000'])] ipaserver.install.ipa_migrate: INFO: Migrating database ... (this make take a while) ipaserver.install.ipa_migrate: INFO: Database search succeeded: type 101 msgid 8 ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=domain,dc=loc' attribute 'memberPrincipal' add val 'HTTP/ipa2.domain....@domain.loc' not in ['HTTP/ipa.domain....@domain.loc'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'memberPrincipal', [b'HTTP/ipa2.domain....@domain.loc'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=domain,dc=loc' attribute 'memberPrincipal' add val 'ldap/ipa2.domain....@domain.loc' not in ['ldap/ipa.domain....@domain.loc'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'memberPrincipal', [b'ldap/ipa2.domain....@domain.loc'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'uid=admin,cn=users,cn=accounts,dc=domain,dc=loc' attribute 'uidNumber' replaced with val '1339400000' old value: ['1766200000'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'uid=admin,cn=users,cn=accounts,dc=domain,dc=loc' attribute 'gidNumber' replaced with val '1339400000' old value: ['1766200000'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'uidNumber', [b'1339400000']), (2, 'gidNumber', [b'1339400000']), (2, 'krbLastSuccessfulAuth', [b'20241116200755Z'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=admins,cn=groups,cn=accounts,dc=domain,dc=loc' attribute 'gidNumber' replaced with val '1339400000' old value: ['1766200000'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'gidNumber', [b'1339400000'])] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'member', [b'uid=user32,cn=users,cn=accounts,dc=domain,dc=loc', b'uid=testgroup,cn=users,cn=accounts,dc=domain,dc=loc', b'uid=desktop,cn=users,cn=accounts,dc=domain,dc=loc'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=editors,cn=groups,cn=accounts,dc=domain,dc=loc' attribute 'gidNumber' replaced with val '1339400002' old value: ['1766200002'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'gidNumber', [b'1339400002'])] ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa2.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipaConfig,cn=etc,dc=domain,dc=loc' attribute 'ipaDefaultLoginShell' replaced with val '/bin/bash' old value: ['/bin/sh'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipaConfig,cn=etc,dc=domain,dc=loc' attribute 'ipaSELinuxUserMapOrder' replaced with val 'guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' old value: ['guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=ipaConfig,cn=etc,dc=domain,dc=loc' attribute 'aci' add val '(targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";;)' not in ['(targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipadomainresolutionorder || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxhostnamelength || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserdefaultsubordinateid || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";;)'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'aci', [b'(targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";;)']), (2, 'ipaSELinuxUserMapOrder', [b'guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023']), (2, 'ipaDefaultLoginShell', [b'/bin/bash'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC_id_range,cn=ranges,cn=etc,dc=domain,dc=loc' attribute 'ipaBaseID' replaced with val '1339400000' old value: ['1766200000'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaBaseID', [b'1339400000'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'uid=sudo,cn=sysaccounts,cn=etc,dc=domain,dc=loc' attribute 'userPassword' add val '{SSHA}1vO9TveMns01JdvX8Wlu0vLWkpyKJ7Li0KZQig==' not in ['{PBKDF2-SHA512}10000$rDx4BupiNh/Vtk0Uuk01hwFnUsqm3kDM$+Xy1WvtN3AylXKInR2b3dsQyDddVgB/C9Z1MNH1t0JaW5zlGTnW8V79kLpFnPywnfrhCFuUk7z+HIJIKVTOCwQ=='] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'userPassword', [b'{SSHA}1vO9TveMns01JdvX8Wlu0vLWkpyKJ7Li0KZQig=='])] ipaserver.install.ipa_migrate: INFO: Added entry: ipaUniqueID=31c8f78b-706f-11ed-9372-080027deeb0c,cn=hbac,dc=domain,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=domain,cn=topology,cn=ipa,cn=etc,dc=domain,dc=loc' attribute 'nsDS5ReplicatedAttributeList' add val '(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount' not in ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=domain,cn=topology,cn=ipa,cn=etc,dc=domain,dc=loc' attribute 'nsDS5ReplicatedAttributeListTotal' add val '(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount' not in ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount passwordgraceusertime'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'nsDS5ReplicatedAttributeListTotal', [b'(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']), (0, 'nsDS5ReplicatedAttributeList', [b'(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'])] ipaserver.install.ipa_migrate: INFO: Skipping remote certificate entry: 'cn=DOM.LOC IPA CA,cn=certificates,cn=ipa,cn=etc,dc=dom,dc=loc' Issuer: CN=Certificate Authority,O=DOM.LOC ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'krbSupportedEncSaltTypes' add val 'des3-hmac-sha1:normal' not in ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'aes128-sha2:normal', 'aes128-sha2:special', 'aes256-sha2:normal', 'aes256-sha2:special', 'camellia128-cts-cmac:normal', 'camellia128-cts-cmac:special', 'camellia256-cts-cmac:normal', 'camellia256-cts-cmac:special'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'krbSupportedEncSaltTypes' add val 'des3-hmac-sha1:special' not in ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'aes128-sha2:normal', 'aes128-sha2:special', 'aes256-sha2:normal', 'aes256-sha2:special', 'camellia128-cts-cmac:normal', 'camellia128-cts-cmac:special', 'camellia256-cts-cmac:normal', 'camellia256-cts-cmac:special', 'des3-hmac-sha1:normal'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'krbSupportedEncSaltTypes' add val 'arcfour-hmac:normal' not in ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'aes128-sha2:normal', 'aes128-sha2:special', 'aes256-sha2:normal', 'aes256-sha2:special', 'camellia128-cts-cmac:normal', 'camellia128-cts-cmac:special', 'camellia256-cts-cmac:normal', 'camellia256-cts-cmac:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'krbSupportedEncSaltTypes' add val 'arcfour-hmac:special' not in ['aes256-cts:normal', 'aes256-cts:special', 'aes128-cts:normal', 'aes128-cts:special', 'aes128-sha2:normal', 'aes128-sha2:special', 'aes256-sha2:normal', 'aes256-sha2:special', 'camellia128-cts-cmac:normal', 'camellia128-cts-cmac:special', 'camellia256-cts-cmac:normal', 'camellia256-cts-cmac:special', 'des3-hmac-sha1:normal', 'des3-hmac-sha1:special', 'arcfour-hmac:normal'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'aci' add val '(targetattr = "cn || cospriority || createtimestamp || entryusn || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)' not in ['(targetattr = "createtimestamp || entryusn || krbauthindmaxrenewableage || krbauthindmaxticketlife || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "cn || cospriority || createtimestamp || entryusn || ipapwddictcheck || ipapwdmaxrepeat || ipapwdmaxsequence || ipapwdusercheck || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass || passwordgracelimit")(targetfilter = "(|(objectclass=ipapwdpolicy)(objectclass=krbpwdpolicy))")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', '(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'aci', [b'(targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', b'(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Add Group Password Policy";allow (add) groupdn = "ldap:///cn=System: Add Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', b'(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Delete Group Password Policy";allow (delete) groupdn = "ldap:///cn=System: Delete Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', b'(targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)', b'(targetattr = "cn || cospriority || createtimestamp || entryusn || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=domain,dc=loc";)']), (0, 'krbSupportedEncSaltTypes', [b'des3-hmac-sha1:normal', b'des3-hmac-sha1:special', b'arcfour-hmac:normal', b'arcfour-hmac:special'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbPrincipalName=K/m...@domain.loc,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'objectClass' add val 'ipakrbprincipal' not in ['krbprincipal', 'krbprincipalaux', 'krbTicketPolicyAux', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaKrbPrincipalAlias', [b'K/m...@domain.loc']), (0, 'objectClass', [b'ipakrbprincipal'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbPrincipalName=krbtgt/domain....@domain.loc,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'objectClass' add val 'ipakrbprincipal' not in ['krbprincipal', 'krbprincipalaux', 'krbTicketPolicyAux', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaKrbPrincipalAlias', [b'krbtgt/domain....@domain.loc']), (0, 'objectClass', [b'ipakrbprincipal'])] ipaserver.install.ipa_migrate: INFO: Added entry: krbPrincipalName=kadmin/ipa.domain....@domain.loc,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbPrincipalName=kadmin/ad...@domain.loc,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'objectClass' add val 'ipakrbprincipal' not in ['krbprincipal', 'krbprincipalaux', 'krbTicketPolicyAux', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaKrbPrincipalAlias', [b'kadmin/ad...@domain.loc']), (0, 'objectClass', [b'ipakrbprincipal'])] ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbPrincipalName=kadmin/chang...@domain.loc,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc' attribute 'objectClass' add val 'ipakrbprincipal' not in ['krbprincipal', 'krbprincipalaux', 'krbTicketPolicyAux', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'ipaKrbPrincipalAlias', [b'kadmin/chang...@domain.loc']), (0, 'objectClass', [b'ipakrbprincipal'])] ipaserver.install.ipa_migrate: INFO: Added entry: krbPrincipalName=kiprop/ipa.domain....@domain.loc,cn=DOMAIN.LOC,cn=kerberos,dc=domain,dc=loc ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom....@dom.loc,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom....@dom.loc,cn=services,cn=accounts,dc=dom,dc=loc ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'krbLastSuccessfulAuth', [b'20241116200051Z'])] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'enrolledBy', [b'uid=admin,cn=users,cn=accounts,dc=domain,dc=loc']), (2, 'krbLastSuccessfulAuth', [b'20241116211548Z'])] ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=HTTP/ipa.dom....@dom.loc,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbprincipalname=HTTP/ipa.domain....@domain.loc,cn=services,cn=accounts,dc=domain,dc=loc' attribute 'objectClass' add val 'krbTicketPolicyAux' not in ['krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'krbLastSuccessfulAuth', [b'20241116200700Z']), (0, 'objectClass', [b'krbTicketPolicyAux'])] ipaserver.install.ipa_migrate: ERROR: Failed to update "krbprincipalname=HTTP/ipa.domain....@domain.loc,cn=services,cn=accounts,dc=domain,dc=loc" error: Type or value exists -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
