Tony Super via FreeIPA-users wrote:
> Hello,
>
> I am trying to migrate from my an IPA server that has FIPS disabled to an IPA server that has FIPS enabled. Both the old and the new IPA will have DNS, CA, and etc.
>
> I ran: ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-objectclass=mepOriginEntry --with-compat ldap://oldipa.server.com However, when I login to a client machine connected to the new IPA server, my file ownership becomes htony : nobody.
>
> What steps have I missed within the migration process?
>
> I've tried exporting cn=groups tree from the old IPA server into a LDIF and imported to the new IPA server, but it did not solve the problem.

Did your user-private groups migrate? Is there an htony group? What is
the group value in getent passwd htony?

> For everything else, DNS, sudoers, automount, and etc, can I simply export from the old server and import into the new server?

Probably. It's possible you might have to massage some of the entries
but I don't know of anything specific.

> I also have 100+ client machines, is there an easy way where I can unjoin the machines from old-ipa-server and then join to the new-ipa-server? (My infrastructure is Ansible-enabled)
Take a look at the ansible-freeipa project (and not freeipa-ansible).

rob