Hi Rob. It worked. Thanks.
It was confusing for me the name *migrated *thinking was the new host
rather than the *"old"* .
Now users/groups are there and whoever has the password needs to connect to
the new server in order to recreate their password with kerberos. I guess
who has the ssh keys don't need to to that...right?
Now I need to migrate manually the hbac,sudo etc....
Thanks
On Thu, Aug 16, 2018 at 4:00 PM Alfredo De Luca <alfredo.deluca(a)gmail.com>
wrote:
Thanks Rob. I ll give a try.
CHeers
On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden <rcritten(a)redhat.com>
wrote:
> Alfredo De Luca via FreeIPA-users wrote:
> > Hi Florence.
> > But the example says ldap://*migrated*.freeipa.server.test
> >
> > so I ran the command from the actual server where I want migrate the
> > users from and pointing to the migrated (so the new which I will migrate
> > to) server...
> > So is it wrong?
> > So should I run the command instead fron the new ipa server pointing to
> > the old server?
>
> The old server. You have been trying to migrate the server to itself.
>
> rob
>
> >
> >
> >
> > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud <flo(a)redhat.com
> > <mailto:flo@redhat.com>> wrote:
> >
> > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
> > > The IP is the new server where I'd like to migrate all the
> > user/groups
> > > to and it should be ok.
> > > The migrate-ds is the default I copy from the
freeipa.org
> > <
http://freeipa.org>
> > > <
http://freeipa.org> migration section..
> > >
> > Hi,
> >
> > the ldap URI should point to the server where the users are
> currently
> > defined (=the FROM server).
> >
> > Hope this clarifies,
> > flo
> > >
> > >
> > >
> > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>> wrote:
> > >
> > > Alfredo De Luca via FreeIPA-users wrote:
> > > > Hi Rob.
> > > > Yes. I am following the link you sent. So now I can
> understand
> > > they need
> > > > to create the new Kerberos but given the command I should
> have
> > > seen all
> > > > the users in the new freeipa server... which are not there.
> > > > Maybe I put a wrong command? (below)
> > > >
> > > > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > > > --user-container=cn=users,cn=accounts --group-overwrite-gid
> > > > --group-container=cn=groups,cn=accounts
> > > --group-objectclass=posixgroup
> > > >
> > >
> >
>
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > > > --user-ignore-objectclass=mepOriginEntry --with-compat
> > > > ldap://192.168.20.177:389 <
http://192.168.20.177:389>
> > <
http://192.168.20.177:389>
> > > <
http://192.168.20.177:389>
> > > >
> > > > Password:
> > > > -----------
> > > > migrate-ds:
> > > > -----------
> > > > Migrated:
> > > > group: admins, editors
> > > > Failed user:
> > > > admin: This entry already exists
> > > > Failed group:
> > > > ----------
> > > > Passwords have been migrated in pre-hashed format.
> > > > IPA is unable to generate Kerberos keys unless provided
> > > > with clear text passwords. All migrated users need to
> > > > login at
https://your.domain/ipa/migration/ before they
> > > > can use their Kerberos accounts.
> > >
> > > It isn't finding any of your users. Are you sure that IP
> > address points
> > > to your existing IPA instance?
> > >
> > > rob
> > >
> > >
> > >
> > > --
> > > /Alfredo/
> > >
> > >
> > >
> > > _______________________________________________
> > > FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> > <mailto:freeipa-users@lists.fedorahosted.org>
> > > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> > <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > > Fedora Code of Conduct:
>
https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
> > >
> >
> >
> >
> > --
> > /Alfredo/
> >
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
> >
>
>
--
*Alfredo*