The IP is the new server where I'd like to migrate all the user/groups to and it  should be ok. 
The migrate-ds is the default I copy from the freeipa.org migration section..




On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden <rcritten@redhat.com> wrote:
Alfredo De Luca via FreeIPA-users wrote:
> Hi Rob. 
> Yes. I am following the link you sent. So now I can understand they need
> to create the new Kerberos but given the command I should have seen all
> the users in the new freeipa server... which are not there. 
> Maybe I put a wrong command? (below)
>
> ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts --group-overwrite-gid
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://192.168.20.177:389 <http://192.168.20.177:389>
>
> Password:
> -----------
> migrate-ds:
> -----------
> Migrated:
>   group: admins, editors
> Failed user:
>   admin: This entry already exists
> Failed group:
> ----------
> Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.

It isn't finding any of your users. Are you sure that IP address points
to your existing IPA instance?

rob


--
Alfredo