I didn't get any errors regarding user private groups at all, and
the
UPGs didn't even get migrated to become regular POSIX UNIX groups
either. They are just not there, so when I login I see a message
complaining that /usr/bin/id cannot find my group name.
They may not be reported as errors, just part of the output.
You might also want to look at your private groups in the original IPA
to ensure they have the posixgroup objectclass. That is the search
filter being used.
rob
I've tried importing the entire cn=groups, but it didn't solve the
missing UPG problem at all.
On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
HUANG, TONY wrote:
> Rob,
>
> I've tried the command from the website below with the same result.
> Furthermore, at the FreeIPA to FreeIPA section it states "The command
> doesn't migrate user private groups.", which is very strange,
because my
> migration becomes more complicated when i have to change group
ownership
> and potentially user files.
What means is that after migration the groups are no longer private.
They are regular groups.
> Am i doing something wrong here?
What does the output of migrate-ds say about the missing groups?
rob
>
> Thanks again for your help!
>
>
> Tony
>
>
> On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> HUANG, TONY wrote:
> > Hi Rob,
> >
> > Thanks for the reply.
> >
> > User Private Group didn't get migrated. When I login I see Group
> number
> > being a number.
> >
> > How do I migrate UPG over?
>
> I don't see why they didn't migrate in the first place. Using
your CLI
> *only* groups migrated for me, not users, because of the error:
>
> tuser: attribute "mepManagedEntry" not allowed
>
> I'd suggest the migration command-line at
> https://www.freeipa.org/page/Howto/Migration
>
> rob
>
> >
> > Thanks very much!
> >
> >
> > Tony
> >
> >
> > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> >
> > Tony Super via FreeIPA-users wrote:
> > > Hello,
> > >
> > > I am trying to migrate from my an IPA server that has FIPS
> > disabled to an IPA server that has FIPS enabled. Both
the old and
> > the new IPA will have DNS, CA, and etc.
> > >
> > > I ran: ipa migrate-ds --bind-dn="cn=Directory
Manager"
> > --user-container=cn=users,cn=accounts
> > --group-container=cn=groups,cn=accounts
> > --group-objectclass=posixgroup
> > --user-ignore-objectclass=mepOriginEntry --with-compat
> > ldap://oldipa.server.com <
http://oldipa.server.com>
<
http://oldipa.server.com>
> <http://oldipa.server.com> However, when I
> > login to a client machine connected to the new IPA
server, my file
> > ownership becomes htony : nobody.
> > >
> > > What steps have I missed within the migration process?
> > >
> > > I've tried exporting cn=groups tree from the old IPA
server
> into a
> > LDIF and imported to the new IPA server, but it did not
solve the
> > problem.
> >
> > Did your user-private groups migrate? Is there an htony
group?
> What is
> > the group value in getent passwd htony?
> >
> > > For everything else, DNS, sudoers, automount, and etc,
can I
> > simply export from the old server and import into the
new server?
> >
> > Probably. It's possible you might have to massage some
of the
> entries
> > but I don't know of anything specific.
> >
> > > I also have 100+ client machines, is there an easy way
where
> I can
> > unjoin the machines from old-ipa-server and then join to the
> > new-ipa-server? (My infrastructure is Ansible-enabled)
> > Take a look at the ansible-freeipa project (and not
> freeipa-ansible).
> >
> > rob
> >
>