Hi Rob. 
Yes. I am following the link you sent. So now I can understand they need to create the new Kerberos but given the command I should have seen all the users in the new freeipa server... which are not there. 
Maybe I put a wrong command? (below)

ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-overwrite-gid --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://192.168.20.177:389

Password:
-----------
migrate-ds:
-----------
Migrated:
  group: admins, editors
Failed user:
  admin: This entry already exists
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.





On Tue, Aug 14, 2018 at 5:01 PM Rob Crittenden <rcritten@redhat.com> wrote:
Alfredo De Luca via FreeIPA-users wrote:
> Hi Florence. Thanks again. I understand about the password hash... but
> does it mean all the users need to do that before migration? or after? 
>
> Cause in the new ipa server can 't see any of the users/groups. 

Then I assume the migration failed?

I believe there is a chapter in the RHEL docs on migration and it is
also mentioned at https://www.freeipa.org/page/Howto/Migration

Users will need to re-authenticate themselves post-migration in order to
set their Kerberos credentials.

rob


--
Alfredo