On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote: > Hi all. > We'd like to change the domain name on our freeipa (4.5.4 on centos > 7.5). Not the realm but only the domain.... > is it doable? > If so... how? > Hi, unfortunately, no. Please have a look at IdM documentation, section Host Name and DNS Configuration [1]. It contains a big warning: Note that the primary DNS domain and Kerberos realm cannot be changed after the installation. Hope this clarifies, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > Cheers > > > -- > /Alfredo/ > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... >

On 08/13/2018 11:17 AM, Alfredo De Luca via FreeIPA-users wrote: > Hi Florence. yes this clarify my question. So or I will build an new > FreeIPA then manually add all the users/groups etc ... or maybe import > at least some users with some sort of ldap command? > Hi, FreeIPA provides a tool to migrate users/groups: ipa migrate-ds, see [1] Note that other objects need to be migrated manually (sudo, hbac, ...). The procedure involves retrieving the objects with ldapsearch into a ldif file, editing the ldif to replace the basedn, and importing to the new server. There are a few knowledge base articles related to this topic, for instance Migrating Your IDM Environment To a New Environment in RHEL 7 [2]. You may also find additional information in the users mailing list. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... [2] https://access.redhat.com/articles/2949931 > Cheers > > > On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud <flo(a)redhat.com > <mailto:flo@redhat.com>> wrote: > > On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote: > > Hi all. > > We'd like to change the domain name on our freeipa (4.5.4 on centos > > 7.5). Not the realm but only the domain.... > > is it doable? > > If so... how? > > > Hi, > > unfortunately, no. Please have a look at IdM documentation, section > Host > Name and DNS Configuration [1]. It contains a big warning: > Note that the primary DNS domain and Kerberos realm cannot be changed > after the installation. > > Hope this clarifies, > flo > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > > > Cheers > > > > > > -- > > /Alfredo/ > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- > freeipa-users(a)lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... > > > > > > -- > /Alfredo/ > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... >

Hi Florence. I created an new IPA server and tried to migrate but I got the following ... *Passwords have been migrated in pre-hashed format.* *IPA is unable to generate Kerberos keys unless provided* *with clear text passwords. All migrated users need to* *login at https://your.domain/ipa/migration/ before they* *can use their Kerberos accounts.*

Alfredo On Mon, Aug 13, 2018 at 2:04 PM Alfredo De Luca <alfredo.deluca(a)gmail.com <mailto:alfredo.deluca@gmail.com>> wrote: Thanks heaps Florence. Appreciated Alfredo On Mon, Aug 13, 2018 at 11:42 AM Florence Blanc-Renaud <flo(a)redhat.com <mailto:flo@redhat.com>> wrote: On 08/13/2018 11:17 AM, Alfredo De Luca via FreeIPA-users wrote: > Hi Florence. yes this clarify my question. So or I will build an new > FreeIPA then manually add all the users/groups etc ... or maybe import > at least some users with some sort of ldap command? > Hi, FreeIPA provides a tool to migrate users/groups: ipa migrate-ds, see [1] Note that other objects need to be migrated manually (sudo, hbac, ...). The procedure involves retrieving the objects with ldapsearch into a ldif file, editing the ldif to replace the basedn, and importing to the new server. There are a few knowledge base articles related to this topic, for instance Migrating Your IDM Environment To a New Environment in RHEL 7 [2]. You may also find additional information in the users mailing list. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... [2] https://access.redhat.com/articles/2949931 > Cheers > > > On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud <flo(a)redhat.com <mailto:flo@redhat.com> > <mailto:flo@redhat.com <mailto:flo@redhat.com>>> wrote: > >     On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote: >      > Hi all. >      > We'd like to change the domain name on our freeipa (4.5.4 on centos >      > 7.5). Not the realm but only the domain.... >      > is it doable? >      > If so... how? >      > >     Hi, > >     unfortunately, no. Please have a look at IdM documentation, section >     Host >     Name and DNS Configuration [1]. It contains a big warning: >     Note that the primary DNS domain and Kerberos realm cannot be changed >     after the installation. > >     Hope this clarifies, >     flo > >     [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... > >      > Cheers >      > >      > >      > -- >      > /Alfredo/ >      > >      > >      > >      > _______________________________________________ >      > FreeIPA-users mailing list -- > freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >     <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> >      > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >     <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> >      > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >      > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines >      > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... >      > > > > > -- > /Alfredo/ > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... > -- /Alfredo/ -- /Alfredo/

Hi Florence. Thanks again. I understand about the password hash... but does it mean all the users need to do that before migration? or after?  Cause in the new ipa server can 't see any of the users/groups. 

Hi Rob.  Yes. I am following the link you sent. So now I can understand they need to create the new Kerberos but given the command I should have seen all the users in the new freeipa server... which are not there.  Maybe I put a wrong command? (below) ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-overwrite-gid --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://192.168.20.177:389 <http://192.168.20.177:389> Password: ----------- migrate-ds: ----------- Migrated:   group: admins, editors Failed user:   admin: This entry already exists Failed group: ---------- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts.

The IP is the new server where I'd like to migrate all the user/groups to and it  should be ok. The migrate-ds is the default I copy from the freeipa.org <http://freeipa.org> migration section..

On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com>> wrote: Alfredo De Luca via FreeIPA-users wrote: > Hi Rob. > Yes. I am following the link you sent. So now I can understand they need > to create the new Kerberos but given the command I should have seen all > the users in the new freeipa server... which are not there. > Maybe I put a wrong command? (below) > > ipa migrate-ds --bind-dn="cn=Directory Manager" > --user-container=cn=users,cn=accounts --group-overwrite-gid > --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup > --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} > --user-ignore-objectclass=mepOriginEntry --with-compat > ldap://192.168.20.177:389 <http://192.168.20.177:389> <http://192.168.20.177:389> > > Password: > ----------- > migrate-ds: > ----------- > Migrated: >   group: admins, editors > Failed user: >   admin: This entry already exists > Failed group: > ---------- > Passwords have been migrated in pre-hashed format. > IPA is unable to generate Kerberos keys unless provided > with clear text passwords. All migrated users need to > login at https://your.domain/ipa/migration/ before they > can use their Kerberos accounts. It isn't finding any of your users. Are you sure that IP address points to your existing IPA instance? rob -- /Alfredo/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...

Hi Florence.  But the example says  ldap://*migrated*.freeipa.server.test so I ran the command from the actual server where I want migrate the users from and pointing to the migrated (so the new which I will migrate to) server... So is it wrong?  So should I run the command instead fron the new ipa server pointing to the old server?

On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud <flo(a)redhat.com <mailto:flo@redhat.com>> wrote: On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote: > The IP is the new server where I'd like to migrate all the user/groups > to and it  should be ok. > The migrate-ds is the default I copy from the freeipa.org <http://freeipa.org> > <http://freeipa.org> migration section.. > Hi, the ldap URI should point to the server where the users are currently defined (=the FROM server). Hope this clarifies, flo > > > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > >     Alfredo De Luca via FreeIPA-users wrote: >      > Hi Rob. >      > Yes. I am following the link you sent. So now I can understand >     they need >      > to create the new Kerberos but given the command I should have >     seen all >      > the users in the new freeipa server... which are not there. >      > Maybe I put a wrong command? (below) >      > >      > ipa migrate-ds --bind-dn="cn=Directory Manager" >      > --user-container=cn=users,cn=accounts --group-overwrite-gid >      > --group-container=cn=groups,cn=accounts >     --group-objectclass=posixgroup >      > >     --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} >      > --user-ignore-objectclass=mepOriginEntry --with-compat >      > ldap://192.168.20.177:389 <http://192.168.20.177:389> <http://192.168.20.177:389> >     <http://192.168.20.177:389> >      > >      > Password: >      > ----------- >      > migrate-ds: >      > ----------- >      > Migrated: >      >   group: admins, editors >      > Failed user: >      >   admin: This entry already exists >      > Failed group: >      > ---------- >      > Passwords have been migrated in pre-hashed format. >      > IPA is unable to generate Kerberos keys unless provided >      > with clear text passwords. All migrated users need to >      > login at https://your.domain/ipa/migration/ before they >      > can use their Kerberos accounts. > >     It isn't finding any of your users. Are you sure that IP address points >     to your existing IPA instance? > >     rob > > > > -- > /Alfredo/ > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... > -- /Alfredo/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...

Thanks Rob. I ll give a try. CHeers On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden <rcritten(a)redhat.com&gt; wrote: > Alfredo De Luca via FreeIPA-users wrote: > > Hi Florence. > > But the example says ldap://*migrated*.freeipa.server.test > > > > so I ran the command from the actual server where I want migrate the > > users from and pointing to the migrated (so the new which I will migrate > > to) server... > > So is it wrong? > > So should I run the command instead fron the new ipa server pointing to > > the old server? > > The old server. You have been trying to migrate the server to itself. > > rob > > > > > > > > > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud <flo(a)redhat.com > > <mailto:flo@redhat.com>> wrote: > > > > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote: > > > The IP is the new server where I'd like to migrate all the > > user/groups > > > to and it should be ok. > > > The migrate-ds is the default I copy from the freeipa.org > > <http://freeipa.org> > > > <http://freeipa.org> migration section.. > > > > > Hi, > > > > the ldap URI should point to the server where the users are > currently > > defined (=the FROM server). > > > > Hope this clarifies, > > flo > > > > > > > > > > > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden > > <rcritten(a)redhat.com <mailto:rcritten@redhat.com> > > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > > > > > Alfredo De Luca via FreeIPA-users wrote: > > > > Hi Rob. > > > > Yes. I am following the link you sent. So now I can > understand > > > they need > > > > to create the new Kerberos but given the command I should > have > > > seen all > > > > the users in the new freeipa server... which are not there. > > > > Maybe I put a wrong command? (below) > > > > > > > > ipa migrate-ds --bind-dn="cn=Directory Manager" > > > > --user-container=cn=users,cn=accounts --group-overwrite-gid > > > > --group-container=cn=groups,cn=accounts > > > --group-objectclass=posixgroup > > > > > > > > > > --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} > > > > --user-ignore-objectclass=mepOriginEntry --with-compat > > > > ldap://192.168.20.177:389 <http://192.168.20.177:389> > > <http://192.168.20.177:389> > > > <http://192.168.20.177:389> > > > > > > > > Password: > > > > ----------- > > > > migrate-ds: > > > > ----------- > > > > Migrated: > > > > group: admins, editors > > > > Failed user: > > > > admin: This entry already exists > > > > Failed group: > > > > ---------- > > > > Passwords have been migrated in pre-hashed format. > > > > IPA is unable to generate Kerberos keys unless provided > > > > with clear text passwords. All migrated users need to > > > > login at https://your.domain/ipa/migration/ before they > > > > can use their Kerberos accounts. > > > > > > It isn't finding any of your users. Are you sure that IP > > address points > > > to your existing IPA instance? > > > > > > rob > > > > > > > > > > > > -- > > > /Alfredo/ > > > > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > freeipa-users(a)lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > > To unsubscribe send an email to > > freeipa-users-leave(a)lists.fedorahosted.org > > <mailto:freeipa-users-leave@lists.fedorahosted.org> > > > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... > > > > > > > > > > > -- > > /Alfredo/ > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah... > > > > -- *Alfredo*