Hi Florence.
But the example says ldap://*migrated*.freeipa.server.test
so I ran the command from the actual server where I want migrate the users
from and pointing to the migrated (so the new which I will migrate to)
server...
So is it wrong?
So should I run the command instead fron the new ipa server pointing to the
old server?
On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
> The IP is the new server where I'd like to migrate all the user/groups
> to and it should be ok.
> The migrate-ds is the default I copy from the
freeipa.org
> <
http://freeipa.org> migration section..
>
Hi,
the ldap URI should point to the server where the users are currently
defined (=the FROM server).
Hope this clarifies,
flo
>
>
>
> On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Alfredo De Luca via FreeIPA-users wrote:
> > Hi Rob.
> > Yes. I am following the link you sent. So now I can understand
> they need
> > to create the new Kerberos but given the command I should have
> seen all
> > the users in the new freeipa server... which are not there.
> > Maybe I put a wrong command? (below)
> >
> > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > --user-container=cn=users,cn=accounts --group-overwrite-gid
> > --group-container=cn=groups,cn=accounts
> --group-objectclass=posixgroup
> >
>
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > --user-ignore-objectclass=mepOriginEntry --with-compat
> > ldap://192.168.20.177:389 <
http://192.168.20.177:389>
> <
http://192.168.20.177:389>
> >
> > Password:
> > -----------
> > migrate-ds:
> > -----------
> > Migrated:
> > group: admins, editors
> > Failed user:
> > admin: This entry already exists
> > Failed group:
> > ----------
> > Passwords have been migrated in pre-hashed format.
> > IPA is unable to generate Kerberos keys unless provided
> > with clear text passwords. All migrated users need to
> > login at
https://your.domain/ipa/migration/ before they
> > can use their Kerberos accounts.
>
> It isn't finding any of your users. Are you sure that IP address
points
> to your existing IPA instance?
>
> rob
>
>
>
> --
> /Alfredo/
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>