Thanks heaps Angus.  appreciated 

/Alfredo

On Fri, 17 Aug 2018, 10:40 Angus Clarke, <subscriptions@angusclarke.com> wrote:
You might find some useful tips here:

https://www.redhat.com/archives/freeipa-users/2014-May/msg00158.html

Not sure if they did drop their other scripts into github (as suggested two thirds down)

Regards
Angus


On 17 August 2018 at 10:09, Alfredo De Luca via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
Hi Rob. It worked. Thanks.
It was confusing for me the name migrated thinking was the new host rather than the "old" .
Now users/groups are there and whoever has the password needs to connect to the new server in order to recreate their password with kerberos. I guess who has the ssh keys don't need to to that...right? 

Now I need to migrate manually the hbac,sudo etc.... 

Thanks
 

On Thu, Aug 16, 2018 at 4:00 PM Alfredo De Luca <alfredo.deluca@gmail.com> wrote:
Thanks Rob. I ll give a try. 
CHeers

On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden <rcritten@redhat.com> wrote:
Alfredo De Luca via FreeIPA-users wrote:
> Hi Florence. 
> But the example says  ldap://*migrated*.freeipa.server.test
>
> so I ran the command from the actual server where I want migrate the
> users from and pointing to the migrated (so the new which I will migrate
> to) server...
> So is it wrong? 
> So should I run the command instead fron the new ipa server pointing to
> the old server?

The old server. You have been trying to migrate the server to itself.

rob

>
>
>
> On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud <flo@redhat.com
> <mailto:flo@redhat.com>> wrote:
>
>     On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
>     > The IP is the new server where I'd like to migrate all the
>     user/groups
>     > to and it  should be ok.
>     > The migrate-ds is the default I copy from the freeipa.org
>     <http://freeipa.org>
>     > <http://freeipa.org> migration section..
>     >
>     Hi,
>
>     the ldap URI should point to the server where the users are currently
>     defined (=the FROM server).
>
>     Hope this clarifies,
>     flo
>     >
>     >
>     >
>     > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
>     <rcritten@redhat.com <mailto:rcritten@redhat.com>
>     > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
>     >
>     >     Alfredo De Luca via FreeIPA-users wrote:
>     >      > Hi Rob.
>     >      > Yes. I am following the link you sent. So now I can understand
>     >     they need
>     >      > to create the new Kerberos but given the command I should have
>     >     seen all
>     >      > the users in the new freeipa server... which are not there.
>     >      > Maybe I put a wrong command? (below)
>     >      >
>     >      > ipa migrate-ds --bind-dn="cn=Directory Manager"
>     >      > --user-container=cn=users,cn=accounts --group-overwrite-gid
>     >      > --group-container=cn=groups,cn=accounts
>     >     --group-objectclass=posixgroup
>     >      >
>     >   
>      --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
>     >      > --user-ignore-objectclass=mepOriginEntry --with-compat
>     >      > ldap://192.168.20.177:389 <http://192.168.20.177:389>
>     <http://192.168.20.177:389>
>     >     <http://192.168.20.177:389>
>     >      >
>     >      > Password:
>     >      > -----------
>     >      > migrate-ds:
>     >      > -----------
>     >      > Migrated:
>     >      >   group: admins, editors
>     >      > Failed user:
>     >      >   admin: This entry already exists
>     >      > Failed group:
>     >      > ----------
>     >      > Passwords have been migrated in pre-hashed format.
>     >      > IPA is unable to generate Kerberos keys unless provided
>     >      > with clear text passwords. All migrated users need to
>     >      > login at https://your.domain/ipa/migration/ before they
>     >      > can use their Kerberos accounts.
>     >
>     >     It isn't finding any of your users. Are you sure that IP
>     address points
>     >     to your existing IPA instance?
>     >
>     >     rob
>     >
>     >
>     >
>     > --
>     > /Alfredo/
>     >
>     >
>     >
>     > _______________________________________________
>     > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     > To unsubscribe send an email to
>     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>     > List Guidelines:
>     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     > List Archives:
>     https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N3LK45PLAZOV3SA2TRNI6SYQKTNQQPF3/
>     >
>
>
>
> --
> /Alfredo/
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VPSB6HPG4J3ZGJHOPA3IQTRJ56GGS4ZR/
>



--
Alfredo



--
Alfredo


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KI32QFU4SCN3CKBP6ZODISPLPLFYW3S2/