Hi Rob,
I have been starting from scratch. I will check my logs again. My
environment is disconnected from the Internet and I can't easily copy
and paste to the thread. My IPA version is the same going from the old
to the new (4.8 I believe). The reason I had to do IPA to IPA migration
is because my old one is not FIPS enabled where as my new one is FIPS
enabled, therefore, I can't just replicate it by promoting it
When your "ipa migrate-ds" worked for you, did you also get nobody as
your group ownership to the files in your home directory? Similar to
when I login to the client machine connected to the newly migrated IPA
server, I get /usr/bin/id Cannot find name with GID 6314001, and ls - l
/home/htony shows htony : nobody on all of my files and directories.
No, everything is looking fine. The nss commands like getent and id all
show the properly resolved group names.
Red Hat support is telling me to delete the users and re-create them
..
which defeats the purpose of running ipa migrate-ds ... and I have many
users and home directories on a NFS share.
They may be confused by UPG. There currently no way to add a UPG to an
existing user, so re-creating the user is the only way.
I am fine if there is no way to do this migration easily, but before
coming to that conclusion I am trying to find a way forward.
It's hard to help without seeing what is going on beyond the symptom.
Like I said, the migration cli I provided works for me.
rob
Thanks again!
--Tony
On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> I've asked Red Hat support, and the support engineer is telling me
that
> it doesn't support migrating of User Private Group and has pointed me
> over
to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The
support
> engineer is also asking me to create new UPG.
It's true that migrating UPG is not possible. The group is converted
into a standard group. You can't create UPG manually by default. I was
curious one day and worked out a way to re-attach a group, but that's a
different problem.
I don't think you've ever said which version of IPA you are migrating
from/to. Versions sometimes can make a big difference.
You also aren't saying what you are doing in between attempts. Are you
fully starting over in between executions or re-running migrate-ds? It
would be truly helpful to see the output of the command when groups fail
to migrate. If it fails it will say so. If it doesn't include the groups
at all then it isn't finding them.
migrate-ds doesn't do anything particularly complicated. It does LDAP
searches for the various objects. For group since you specified
--group-objectclass=posixaccount it's going to search for all of those.
This should be visible in your access log.
This works for me:
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
--user-ignore-objectclass mepOriginEntry
--group-ignore-attribute=mepmanagedby
--group-ignore-objectclass=mepmanagedEntry --with-compat
ldap://ipa.example.test
> Now my question is if ipa migrate-ds doesn't support migration of UPG,
> then how do I move forward after running ipa migrate-ds? I currently
> have GIDs that don't associate to usernames and group file
ownership is
> nobody.
Like I said, it doesn't migrate UPG and continue to be UPG, but it will
migrate the groups.
> Looking to see if anyone in the community has done an IPA to IPA
> migration ...
Have you searched the list archives?
rob
>
> Thanks!
>
> On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> HUANG, TONY wrote:
> > I didn't get any errors regarding user private groups at
all, and the
> > UPGs didn't even get migrated to become regular POSIX UNIX
groups
> > either. They are just not there, so when I login I see a message
> > complaining that /usr/bin/id cannot find my group name.
>
> They may not be reported as errors, just part of the output.
>
> You might also want to look at your private groups in the
original IPA
> to ensure they have the posixgroup objectclass. That is the search
> filter being used.
>
> rob
>
> >
> > I've tried importing the entire cn=groups, but it didn't
solve the
> > missing UPG problem at all.
> >
> > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> >
> > HUANG, TONY wrote:
> > > Rob,
> > >
> > > I've tried the command from the website below with the
same
> result.
> > > Furthermore, at the FreeIPA to FreeIPA section it states
> "The command
> > > doesn't migrate user private groups.", which is
very strange,
> > because my
> > > migration becomes more complicated when i have to
change group
> > ownership
> > > and potentially user files.
> >
> > What means is that after migration the groups are no longer
> private.
> > They are regular groups.
> >
> > > Am i doing something wrong here?
> >
> > What does the output of migrate-ds say about the missing
groups?
> >
> > rob
> >
> > >
> > > Thanks again for your help!
> > >
> > >
> > > Tony
> > >
> > >
> > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
wrote:
> > >
> > > HUANG, TONY wrote:
> > > > Hi Rob,
> > > >
> > > > Thanks for the reply.
> > > >
> > > > User Private Group didn't get migrated. When I
login I
> see Group
> > > number
> > > > being a number.
> > > >
> > > > How do I migrate UPG over?
> > >
> > > I don't see why they didn't migrate in the first
place.
> Using
> > your CLI
> > > *only* groups migrated for me, not users, because
of the
> error:
> > >
> > > tuser: attribute "mepManagedEntry" not
allowed
> > >
> > > I'd suggest the migration command-line at
> > > https://www.freeipa.org/page/Howto/Migration
> > >
> > > rob
> > >
> > > >
> > > > Thanks very much!
> > > >
> > > >
> > > > Tony
> > > >
> > > >
> > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>>
wrote:
> > > >
> > > > Tony Super via FreeIPA-users wrote:
> > > > > Hello,
> > > > >
> > > > > I am trying to migrate from my an IPA
server
> that has FIPS
> > > > disabled to an IPA server that has FIPS
enabled. Both
> > the old and
> > > > the new IPA will have DNS, CA, and etc.
> > > > >
> > > > > I ran: ipa migrate-ds
--bind-dn="cn=Directory
> Manager"
> > > > --user-container=cn=users,cn=accounts
> > > > --group-container=cn=groups,cn=accounts
> > > > --group-objectclass=posixgroup
> > > > --user-ignore-objectclass=mepOriginEntry
--with-compat
> > > > ldap://oldipa.server.com
<
http://oldipa.server.com>
> <http://oldipa.server.com> <
http://oldipa.server.com>
> > <http://oldipa.server.com>
> > > <http://oldipa.server.com> However, when I
> > > > login to a client machine connected to the
new IPA
> > server, my file
> > > > ownership becomes htony : nobody.
> > > > >
> > > > > What steps have I missed within the
migration
> process?
> > > > >
> > > > > I've tried exporting cn=groups tree
from
the old IPA
> > server
> > > into a
> > > > LDIF and imported to the new IPA server, but it
> did not
> > solve the
> > > > problem.
> > > >
> > > > Did your user-private groups migrate? Is
there an
> htony
> > group?
> > > What is
> > > > the group value in getent passwd htony?
> > > >
> > > > > For everything else, DNS, sudoers,
automount,
> and etc,
> > can I
> > > > simply export from the old server and import
into the
> > new server?
> > > >
> > > > Probably. It's possible you might have to
massage some
> > of the
> > > entries
> > > > but I don't know of anything specific.
> > > >
> > > > > I also have 100+ client machines, is there
an
> easy way
> > where
> > > I can
> > > > unjoin the machines from old-ipa-server and then
> join to the
> > > > new-ipa-server? (My infrastructure is
Ansible-enabled)
> > > > Take a look at the ansible-freeipa project
(and not
> > > freeipa-ansible).
> > > >
> > > > rob
> > > >
> > >
> >
>