On Wed, Apr 12, 2023, 10:11 AM Rob Crittenden <rcritten@redhat.com> wrote:

HUANG, TONY wrote:
> Hi Rob,
>
> I have been starting from scratch. I will check my logs again. My
> environment is disconnected from the Internet and I can't easily copy
> and paste to the thread. My IPA version is the same going from the old
> to the new (4.8 I believe). The reason I had to do IPA to IPA migration
> is because my old one is not FIPS enabled where as my new one is FIPS
> enabled, therefore, I can't just replicate it by promoting it
>
> When your "ipa migrate-ds" worked for you, did you also get nobody as
> your group ownership to the files in your home directory? Similar to
> when I login to the client machine connected to the newly migrated IPA
> server, I get /usr/bin/id Cannot find name with GID 6314001, and ls - l
> /home/htony shows htony : nobody on all of my files and directories.

No, everything is looking fine. The nss commands like getent and id all
show the properly resolved group names.

> Red Hat support is telling me to delete the users and re-create them ..
> which defeats the purpose of running ipa migrate-ds ... and I have many
> users and home directories on a NFS share.

They may be confused by UPG. There currently no way to add a UPG to an
existing user, so re-creating the user is the only way.

> I am fine if there is no way to do this migration easily, but before
> coming to that conclusion I am trying to find a way forward.

It's hard to help without seeing what is going on beyond the symptom.
Like I said, the migration cli I provided works for me.

rob

>
> Thanks again!
>
> --Tony
>
>
> On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> HUANG, TONY wrote:
> > Hi Rob,
> >
> > I've asked Red Hat support, and the support engineer is telling me
> that
> > it doesn't support migrating of User Private Group and has pointed me
> > over to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The
> support
> > engineer is also asking me to create new UPG.
>
> It's true that migrating UPG is not possible. The group is converted
> into a standard group. You can't create UPG manually by default. I was
> curious one day and worked out a way to re-attach a group, but that's a
> different problem.
>
> I don't think you've ever said which version of IPA you are migrating
> from/to. Versions sometimes can make a big difference.
>
> You also aren't saying what you are doing in between attempts. Are you
> fully starting over in between executions or re-running migrate-ds? It
> would be truly helpful to see the output of the command when groups fail
> to migrate. If it fails it will say so. If it doesn't include the groups
> at all then it isn't finding them.
>
> migrate-ds doesn't do anything particularly complicated. It does LDAP
> searches for the various objects. For group since you specified
> --group-objectclass=posixaccount it's going to search for all of those.
> This should be visible in your access log.
>
> This works for me:
>
> ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass mepOriginEntry
> --group-ignore-attribute=mepmanagedby
> --group-ignore-objectclass=mepmanagedEntry --with-compat
> ldap://ipa.example.test
>
> > Now my question is if ipa migrate-ds doesn't support migration of UPG,
> > then how do I move forward after running ipa migrate-ds? I currently
> > have GIDs that don't associate to usernames and group file
> ownership is
> > nobody.
>
> Like I said, it doesn't migrate UPG and continue to be UPG, but it will
> migrate the groups.
>
> > Looking to see if anyone in the community has done an IPA to IPA
> > migration ...
>
> Have you searched the list archives?
>
> rob
>
> >
> > Thanks!
> >
> > On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
> >
> > HUANG, TONY wrote:
> > > I didn't get any errors regarding user private groups at
> all, and the
> > > UPGs didn't even get migrated to become regular POSIX UNIX
> groups
> > > either. They are just not there, so when I login I see a message
> > > complaining that /usr/bin/id cannot find my group name.
> >
> > They may not be reported as errors, just part of the output.
> >
> > You might also want to look at your private groups in the
> original IPA
> > to ensure they have the posixgroup objectclass. That is the search
> > filter being used.
> >
> > rob
> >
> > >
> > > I've tried importing the entire cn=groups, but it didn't
> solve the
> > > missing UPG problem at all.
> > >
> > > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden
> <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> > >
> > > HUANG, TONY wrote:
> > > > Rob,
> > > >
> > > > I've tried the command from the website below with the
> same
> > result.
> > > > Furthermore, at the FreeIPA to FreeIPA section it states
> > "The command
> > > > doesn't migrate user private groups.", which is
> very strange,
> > > because my
> > > > migration becomes more complicated when i have to
> change group
> > > ownership
> > > > and potentially user files.
> > >
> > > What means is that after migration the groups are no longer
> > private.
> > > They are regular groups.
> > >
> > > > Am i doing something wrong here?
> > >
> > > What does the output of migrate-ds say about the missing
> groups?
> > >
> > > rob
> > >
> > > >
> > > > Thanks again for your help!
> > > >
> > > >
> > > > Tony
> > > >
> > > >
> > > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden
> > <rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>> wrote:
> > > >
> > > > HUANG, TONY wrote:
> > > > > Hi Rob,
> > > > >
> > > > > Thanks for the reply.
> > > > >
> > > > > User Private Group didn't get migrated. When I
> login I
> > see Group
> > > > number
> > > > > being a number.
> > > > >
> > > > > How do I migrate UPG over?
> > > >
> > > > I don't see why they didn't migrate in the first
> place.
> > Using
> > > your CLI
> > > > *only* groups migrated for me, not users, because
> of the
> > error:
> > > >
> > > > tuser: attribute "mepManagedEntry" not allowed
> > > >
> > > > I'd suggest the migration command-line at
> > > > https://www.freeipa.org/page/Howto/Migration
> > > >
> > > > rob
> > > >
> > > > >
> > > > > Thanks very much!
> > > > >
> > > > >
> > > > > Tony
> > > > >
> > > > >
> > > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden
> > > <rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>> wrote:
> > > > >
> > > > > Tony Super via FreeIPA-users wrote:
> > > > > > Hello,
> > > > > >
> > > > > > I am trying to migrate from my an IPA server
> > that has FIPS
> > > > > disabled to an IPA server that has FIPS
> enabled. Both
> > > the old and
> > > > > the new IPA will have DNS, CA, and etc.
> > > > > >
> > > > > > I ran: ipa migrate-ds --bind-dn="cn=Directory
> > Manager"
> > > > > --user-container=cn=users,cn=accounts
> > > > > --group-container=cn=groups,cn=accounts
> > > > > --group-objectclass=posixgroup
> > > > > --user-ignore-objectclass=mepOriginEntry
> --with-compat
> > > > > ldap://oldipa.server.com
> <http://oldipa.server.com>
> > <http://oldipa.server.com> <http://oldipa.server.com>
> > > <http://oldipa.server.com>
> > > > <http://oldipa.server.com> However, when I
> > > > > login to a client machine connected to the
> new IPA
> > > server, my file
> > > > > ownership becomes htony : nobody.
> > > > > >
> > > > > > What steps have I missed within the migration
> > process?
> > > > > >
> > > > > > I've tried exporting cn=groups tree from
> the old IPA
> > > server
> > > > into a
> > > > > LDIF and imported to the new IPA server, but it
> > did not
> > > solve the
> > > > > problem.
> > > > >
> > > > > Did your user-private groups migrate? Is
> there an
> > htony
> > > group?
> > > > What is
> > > > > the group value in getent passwd htony?
> > > > >
> > > > > > For everything else, DNS, sudoers, automount,
> > and etc,
> > > can I
> > > > > simply export from the old server and import
> into the
> > > new server?
> > > > >
> > > > > Probably. It's possible you might have to
> massage some
> > > of the
> > > > entries
> > > > > but I don't know of anything specific.
> > > > >
> > > > > > I also have 100+ client machines, is there an
> > easy way
> > > where
> > > > I can
> > > > > unjoin the machines from old-ipa-server and then
> > join to the
> > > > > new-ipa-server? (My infrastructure is
> Ansible-enabled)
> > > > > Take a look at the ansible-freeipa project
> (and not
> > > > freeipa-ansible).
> > > > >
> > > > > rob
> > > > >
> > > >
> > >
> >
>