Hi Rob.
Yes. I am following the link you sent. So now I can understand they need to create the new Kerberos but given the command I should have seen all the users in the new freeipa server... which are not there.
Maybe I put a wrong command? (below)
ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-overwrite-gid --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://192.168.20.177:389
Password:
-----------
migrate-ds:
-----------
Migrated:
group: admins, editors
Failed user:
admin: This entry already exists
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
can use their Kerberos accounts.