The IP is the new server where I'd like to migrate all the user/groups to
and it should be ok.
The migrate-ds is the default I copy from the
migration
section..
On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Alfredo De Luca via FreeIPA-users wrote:
> Hi Rob.
> Yes. I am following the link you sent. So now I can understand they need
> to create the new Kerberos but given the command I should have seen all
> the users in the new freeipa server... which are not there.
> Maybe I put a wrong command? (below)
>
> ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts --group-overwrite-gid
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
>
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://192.168.20.177:389 <
http://192.168.20.177:389>
>
> Password:
> -----------
> migrate-ds:
> -----------
> Migrated:
> group: admins, editors
> Failed user:
> admin: This entry already exists
> Failed group:
> ----------
> Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at
https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.
It isn't finding any of your users. Are you sure that IP address points
to your existing IPA instance?
rob