Hi Florence. 
I created an new IPA server and tried to migrate but I got the following ...

Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.

Alfredo


On Mon, Aug 13, 2018 at 2:04 PM Alfredo De Luca <alfredo.deluca@gmail.com> wrote:
Thanks heaps Florence. Appreciated

Alfredo


On Mon, Aug 13, 2018 at 11:42 AM Florence Blanc-Renaud <flo@redhat.com> wrote:
On 08/13/2018 11:17 AM, Alfredo De Luca via FreeIPA-users wrote:
> Hi Florence. yes this clarify my question. So or I will build an new
> FreeIPA then manually add all the users/groups etc ... or maybe import
> at least some users with some sort of ldap command?
>
Hi,

FreeIPA provides a tool to migrate users/groups: ipa migrate-ds, see [1]

Note that other objects need to be migrated manually (sudo, hbac, ...).
The procedure involves retrieving the objects with ldapsearch into a
ldif file, editing the ldif to replace the basedn, and importing to the
new server.

There are a few knowledge base articles related to this topic, for
instance Migrating Your IDM Environment To a New Environment in RHEL 7
[2]. You may also find additional information in the users mailing list.

HTH,
flo

[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating_from_a_directory_server_to_ipa
[2] https://access.redhat.com/articles/2949931

> Cheers
>
>
> On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud <flo@redhat.com
> <mailto:flo@redhat.com>> wrote:
>
>     On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote:
>      > Hi all.
>      > We'd like to change the domain name on our freeipa (4.5.4 on centos
>      > 7.5). Not the realm but only the domain....
>      > is it doable?
>      > If so... how?
>      >
>     Hi,
>
>     unfortunately, no. Please have a look at IdM documentation, section
>     Host
>     Name and DNS Configuration [1]. It contains a big warning:
>     Note that the primary DNS domain and Kerberos realm cannot be changed
>     after the installation.
>
>     Hope this clarifies,
>     flo
>
>     [1]
>     https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs
>
>      > Cheers
>      >
>      >
>      > --
>      > /Alfredo/
>      >
>      >
>      >
>      > _______________________________________________
>      > FreeIPA-users mailing list --
>     freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>      > To unsubscribe send an email to
>     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>      > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>      > List Guidelines:
>     https://fedoraproject.org/wiki/Mailing_list_guidelines
>      > List Archives:
>     https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HG5BWVSUFHVZ5XT22OAHANND4P4UMJEE/
>      >
>
>
>
> --
> /Alfredo/
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GPFF573QLX2JUFGKKCLCHWKJIKKICYDJ/
>



--
Alfredo



--
Alfredo