8:23 p.m.
Hello,
I am trying to migrate from my an IPA server that has FIPS disabled to an IPA server that
has FIPS enabled. Both the old and the new IPA will have DNS, CA, and etc.
I ran: ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup --user-ignore-objectclass=mepOriginEntry --with-compat
ldap://oldipa.server.com However, when I login to a client machine connected to the new
IPA server, my file ownership becomes htony : nobody.
What steps have I missed within the migration process?
I've tried exporting cn=groups tree from the old IPA server into a LDIF and imported
to the new IPA server, but it did not solve the problem.
For everything else, DNS, sudoers, automount, and etc, can I simply export from the old
server and import into the new server?
I also have 100+ client machines, is there an easy way where I can unjoin the machines
from old-ipa-server and then join to the new-ipa-server? (My infrastructure is
Ansible-enabled)
Thanks in advance!
Best,
Tony
9:34 a.m.
Tony Super via FreeIPA-users wrote:
Hello,
I am trying to migrate from my an IPA server that has FIPS disabled to an IPA server that
has FIPS enabled. Both the old and the new IPA will have DNS, CA, and etc.
I ran: ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup --user-ignore-objectclass=mepOriginEntry --with-compat
ldap://oldipa.server.com However, when I login to a client machine connected to the new
IPA server, my file ownership becomes htony : nobody.
What steps have I missed within the migration process?
I've tried exporting cn=groups tree from the old IPA server into a LDIF and imported
to the new IPA server, but it did not solve the problem.
Did your user-private groups migrate? Is there an htony group? What is
the group value in getent passwd htony?
For everything else, DNS, sudoers, automount, and etc, can I simply
export from the old server and import into the new server?
Probably. It's possible you might have to massage some of the entries
but I don't know of anything specific.
I also have 100+ client machines, is there an easy way where I can
unjoin the machines from old-ipa-server and then join to the new-ipa-server? (My
infrastructure is Ansible-enabled)
Take a look at the ansible-freeipa project (and
not freeipa-ansible).
rob
9:50 a.m.
Hi Rob,
Thanks for the reply.
User Private Group didn't get migrated. When I login I see Group number
being a number.
How do I migrate UPG over?
Thanks very much!
Tony
On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
Tony Super via FreeIPA-users wrote:
> Hello,
>
> I am trying to migrate from my an IPA server that has FIPS disabled to
an IPA server that has FIPS enabled. Both the old and the new IPA will have
DNS, CA, and etc.
>
> I ran: ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-objectclass=mepOriginEntry --with-compat ldap://
oldipa.server.com However, when I login to a client machine connected to
the new IPA server, my file ownership becomes htony : nobody.
>
> What steps have I missed within the migration process?
>
> I've tried exporting cn=groups tree from the old IPA server into a LDIF
and imported to the new IPA server, but it did not solve the problem.
Did your user-private groups migrate? Is there an htony group? What is
the group value in getent passwd htony?
> For everything else, DNS, sudoers, automount, and etc, can I simply
export from the old server and import into the new server?
Probably. It's possible you might have to massage some of the entries
but I don't know of anything specific.
> I also have 100+ client machines, is there an easy way where I can
unjoin the machines from old-ipa-server and then join to the
new-ipa-server? (My infrastructure is Ansible-enabled)
Take a look at the ansible-freeipa project (and not freeipa-ansible).
rob
11:06 a.m.
HUANG, TONY wrote:
Hi Rob,
Thanks for the reply.
User Private Group didn't get migrated. When I login I see Group number
being a number.
How do I migrate UPG over?
I don't see why they didn't migrate in the first place. Using your CLI
*only* groups migrated for me, not users, because of the error:
tuser: attribute "mepManagedEntry" not allowed
I'd suggest the migration command-line at
https://www.freeipa.org/page/Howto/Migration
rob
Thanks very much!
Tony
On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Tony Super via FreeIPA-users wrote:
> Hello,
>
> I am trying to migrate from my an IPA server that has FIPS
disabled to an IPA server that has FIPS enabled. Both the old and
the new IPA will have DNS, CA, and etc.
>
> I ran: ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup
--user-ignore-objectclass=mepOriginEntry --with-compat
ldap://oldipa.server.com <http://oldipa.server.com> However, when I
login to a client machine connected to the new IPA server, my file
ownership becomes htony : nobody.
>
> What steps have I missed within the migration process?
>
> I've tried exporting cn=groups tree from the old IPA server into a
LDIF and imported to the new IPA server, but it did not solve the
problem.
Did your user-private groups migrate? Is there an htony group? What is
the group value in getent passwd htony?
> For everything else, DNS, sudoers, automount, and etc, can I
simply export from the old server and import into the new server?
Probably. It's possible you might have to massage some of the entries
but I don't know of anything specific.
> I also have 100+ client machines, is there an easy way where I can
unjoin the machines from old-ipa-server and then join to the
new-ipa-server? (My infrastructure is Ansible-enabled)
Take a look at the ansible-freeipa project (and not freeipa-ansible).
rob
11:48 a.m.
Rob,
I've tried the command from the website below with the same result.
Furthermore, at the FreeIPA to FreeIPA section it states "The command
doesn't migrate user private groups.", which is very strange, because my
migration becomes more complicated when i have to change group ownership
and potentially user files.
Am i doing something wrong here?
Thanks again for your help!
Tony
On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> Thanks for the reply.
>
> User Private Group didn't get migrated. When I login I see Group number
> being a number.
>
> How do I migrate UPG over?
I don't see why they didn't migrate in the first place. Using your CLI
*only* groups migrated for me, not users, because of the error:
tuser: attribute "mepManagedEntry" not allowed
I'd suggest the migration command-line at
https://www.freeipa.org/page/Howto/Migration
rob
>
> Thanks very much!
>
>
> Tony
>
>
> On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Tony Super via FreeIPA-users wrote:
> > Hello,
> >
> > I am trying to migrate from my an IPA server that has FIPS
> disabled to an IPA server that has FIPS enabled. Both the old and
> the new IPA will have DNS, CA, and etc.
> >
> > I ran: ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts
> --group-objectclass=posixgroup
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://oldipa.server.com <http://oldipa.server.com> However, when I
> login to a client machine connected to the new IPA server, my file
> ownership becomes htony : nobody.
> >
> > What steps have I missed within the migration process?
> >
> > I've tried exporting cn=groups tree from the old IPA server into a
> LDIF and imported to the new IPA server, but it did not solve the
> problem.
>
> Did your user-private groups migrate? Is there an htony group? What
is
> the group value in getent passwd htony?
>
> > For everything else, DNS, sudoers, automount, and etc, can I
> simply export from the old server and import into the new server?
>
> Probably. It's possible you might have to massage some of the entries
> but I don't know of anything specific.
>
> > I also have 100+ client machines, is there an easy way where I can
> unjoin the machines from old-ipa-server and then join to the
> new-ipa-server? (My infrastructure is Ansible-enabled)
> Take a look at the ansible-freeipa project (and not freeipa-ansible).
>
> rob
>
11:59 a.m.
HUANG, TONY wrote:
Rob,
I've tried the command from the website below with the same result.
Furthermore, at the FreeIPA to FreeIPA section it states "The command
doesn't migrate user private groups.", which is very strange, because my
migration becomes more complicated when i have to change group ownership
and potentially user files.
What means is that after migration the groups are no longer private.
They are regular groups.
Am i doing something wrong here?
What does the output of migrate-ds say about the missing groups?
rob
Thanks again for your help!
Tony
On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> Thanks for the reply.
>
> User Private Group didn't get migrated. When I login I see Group
number
> being a number.
>
> How do I migrate UPG over?
I don't see why they didn't migrate in the first place. Using your CLI
*only* groups migrated for me, not users, because of the error:
tuser: attribute "mepManagedEntry" not allowed
I'd suggest the migration command-line at
https://www.freeipa.org/page/Howto/Migration
rob
>
> Thanks very much!
>
>
> Tony
>
>
> On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> Tony Super via FreeIPA-users wrote:
> > Hello,
> >
> > I am trying to migrate from my an IPA server that has FIPS
> disabled to an IPA server that has FIPS enabled. Both the old and
> the new IPA will have DNS, CA, and etc.
> >
> > I ran: ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts
> --group-objectclass=posixgroup
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://oldipa.server.com <http://oldipa.server.com>
<http://oldipa.server.com> However, when I
> login to a client machine connected to the new IPA server, my file
> ownership becomes htony : nobody.
> >
> > What steps have I missed within the migration process?
> >
> > I've tried exporting cn=groups tree from the old IPA server
into a
> LDIF and imported to the new IPA server, but it did not solve the
> problem.
>
> Did your user-private groups migrate? Is there an htony group?
What is
> the group value in getent passwd htony?
>
> > For everything else, DNS, sudoers, automount, and etc, can I
> simply export from the old server and import into the new server?
>
> Probably. It's possible you might have to massage some of the
entries
> but I don't know of anything specific.
>
> > I also have 100+ client machines, is there an easy way where
I can
> unjoin the machines from old-ipa-server and then join to the
> new-ipa-server? (My infrastructure is Ansible-enabled)
> Take a look at the ansible-freeipa project (and not
freeipa-ansible).
>
> rob
>
12:07 p.m.
I didn't get any errors regarding user private groups at all, and the UPGs
didn't even get migrated to become regular POSIX UNIX groups either. They
are just not there, so when I login I see a message complaining that
/usr/bin/id cannot find my group name.
I've tried importing the entire cn=groups, but it didn't solve the missing
UPG problem at all.
On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
HUANG, TONY wrote:
> Rob,
>
> I've tried the command from the website below with the same result.
> Furthermore, at the FreeIPA to FreeIPA section it states "The command
> doesn't migrate user private groups.", which is very strange, because my
> migration becomes more complicated when i have to change group ownership
> and potentially user files.
What means is that after migration the groups are no longer private.
They are regular groups.
> Am i doing something wrong here?
What does the output of migrate-ds say about the missing groups?
rob
>
> Thanks again for your help!
>
>
> Tony
>
>
> On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> HUANG, TONY wrote:
> > Hi Rob,
> >
> > Thanks for the reply.
> >
> > User Private Group didn't get migrated. When I login I see Group
> number
> > being a number.
> >
> > How do I migrate UPG over?
>
> I don't see why they didn't migrate in the first place. Using your
CLI
> *only* groups migrated for me, not users, because of the error:
>
> tuser: attribute "mepManagedEntry" not allowed
>
> I'd suggest the migration command-line at
> https://www.freeipa.org/page/Howto/Migration
>
> rob
>
> >
> > Thanks very much!
> >
> >
> > Tony
> >
> >
> > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
> >
> > Tony Super via FreeIPA-users wrote:
> > > Hello,
> > >
> > > I am trying to migrate from my an IPA server that has FIPS
> > disabled to an IPA server that has FIPS enabled. Both the old
and
> > the new IPA will have DNS, CA, and etc.
> > >
> > > I ran: ipa migrate-ds --bind-dn="cn=Directory Manager"
> > --user-container=cn=users,cn=accounts
> > --group-container=cn=groups,cn=accounts
> > --group-objectclass=posixgroup
> > --user-ignore-objectclass=mepOriginEntry --with-compat
> > ldap://oldipa.server.com <http://oldipa.server.com>
> <http://oldipa.server.com> However, when I
> > login to a client machine connected to the new IPA server, my
file
> > ownership becomes htony : nobody.
> > >
> > > What steps have I missed within the migration process?
> > >
> > > I've tried exporting cn=groups tree from the old IPA server
> into a
> > LDIF and imported to the new IPA server, but it did not solve
the
> > problem.
> >
> > Did your user-private groups migrate? Is there an htony group?
> What is
> > the group value in getent passwd htony?
> >
> > > For everything else, DNS, sudoers, automount, and etc, can I
> > simply export from the old server and import into the new
server?
> >
> > Probably. It's possible you might have to massage some of the
> entries
> > but I don't know of anything specific.
> >
> > > I also have 100+ client machines, is there an easy way where
> I can
> > unjoin the machines from old-ipa-server and then join to the
> > new-ipa-server? (My infrastructure is Ansible-enabled)
> > Take a look at the ansible-freeipa project (and not
> freeipa-ansible).
> >
> > rob
> >
>
12:25 p.m.
HUANG, TONY wrote:
I didn't get any errors regarding user private groups at all, and
the
UPGs didn't even get migrated to become regular POSIX UNIX groups
either. They are just not there, so when I login I see a message
complaining that /usr/bin/id cannot find my group name.
They may not be reported as errors, just part of the output.
You might also want to look at your private groups in the original IPA
to ensure they have the posixgroup objectclass. That is the search
filter being used.
rob
I've tried importing the entire cn=groups, but it didn't solve the
missing UPG problem at all.
On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
HUANG, TONY wrote:
> Rob,
>
> I've tried the command from the website below with the same result.
> Furthermore, at the FreeIPA to FreeIPA section it states "The command
> doesn't migrate user private groups.", which is very strange,
because my
> migration becomes more complicated when i have to change group
ownership
> and potentially user files.
What means is that after migration the groups are no longer private.
They are regular groups.
> Am i doing something wrong here?
What does the output of migrate-ds say about the missing groups?
rob
>
> Thanks again for your help!
>
>
> Tony
>
>
> On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> HUANG, TONY wrote:
> > Hi Rob,
> >
> > Thanks for the reply.
> >
> > User Private Group didn't get migrated. When I login I see Group
> number
> > being a number.
> >
> > How do I migrate UPG over?
>
> I don't see why they didn't migrate in the first place. Using
your CLI
> *only* groups migrated for me, not users, because of the error:
>
> tuser: attribute "mepManagedEntry" not allowed
>
> I'd suggest the migration command-line at
> https://www.freeipa.org/page/Howto/Migration
>
> rob
>
> >
> > Thanks very much!
> >
> >
> > Tony
> >
> >
> > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> >
> > Tony Super via FreeIPA-users wrote:
> > > Hello,
> > >
> > > I am trying to migrate from my an IPA server that has FIPS
> > disabled to an IPA server that has FIPS enabled. Both
the old and
> > the new IPA will have DNS, CA, and etc.
> > >
> > > I ran: ipa migrate-ds --bind-dn="cn=Directory
Manager"
> > --user-container=cn=users,cn=accounts
> > --group-container=cn=groups,cn=accounts
> > --group-objectclass=posixgroup
> > --user-ignore-objectclass=mepOriginEntry --with-compat
> > ldap://oldipa.server.com <http://oldipa.server.com>
<http://oldipa.server.com>
> <http://oldipa.server.com> However, when I
> > login to a client machine connected to the new IPA
server, my file
> > ownership becomes htony : nobody.
> > >
> > > What steps have I missed within the migration process?
> > >
> > > I've tried exporting cn=groups tree from the old IPA
server
> into a
> > LDIF and imported to the new IPA server, but it did not
solve the
> > problem.
> >
> > Did your user-private groups migrate? Is there an htony
group?
> What is
> > the group value in getent passwd htony?
> >
> > > For everything else, DNS, sudoers, automount, and etc,
can I
> > simply export from the old server and import into the
new server?
> >
> > Probably. It's possible you might have to massage some
of the
> entries
> > but I don't know of anything specific.
> >
> > > I also have 100+ client machines, is there an easy way
where
> I can
> > unjoin the machines from old-ipa-server and then join to the
> > new-ipa-server? (My infrastructure is Ansible-enabled)
> > Take a look at the ansible-freeipa project (and not
> freeipa-ansible).
> >
> > rob
> >
>
12:04 p.m.
Hi Rob,
I've asked Red Hat support, and the support engineer is telling me that it
doesn't support migrating of User Private Group and has pointed me over to
https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The support engineer is
also asking me to create new UPG.
Now my question is if ipa migrate-ds doesn't support migration of UPG, then
how do I move forward after running ipa migrate-ds? I currently have GIDs
that don't associate to usernames and group file ownership is nobody.
Looking to see if anyone in the community has done an IPA to IPA migration
...
Thanks!
On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
HUANG, TONY wrote:
> I didn't get any errors regarding user private groups at all, and the
> UPGs didn't even get migrated to become regular POSIX UNIX groups
> either. They are just not there, so when I login I see a message
> complaining that /usr/bin/id cannot find my group name.
They may not be reported as errors, just part of the output.
You might also want to look at your private groups in the original IPA
to ensure they have the posixgroup objectclass. That is the search
filter being used.
rob
>
> I've tried importing the entire cn=groups, but it didn't solve the
> missing UPG problem at all.
>
> On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> HUANG, TONY wrote:
> > Rob,
> >
> > I've tried the command from the website below with the same result.
> > Furthermore, at the FreeIPA to FreeIPA section it states "The
command
> > doesn't migrate user private groups.", which is very strange,
> because my
> > migration becomes more complicated when i have to change group
> ownership
> > and potentially user files.
>
> What means is that after migration the groups are no longer private.
> They are regular groups.
>
> > Am i doing something wrong here?
>
> What does the output of migrate-ds say about the missing groups?
>
> rob
>
> >
> > Thanks again for your help!
> >
> >
> > Tony
> >
> >
> > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
> >
> > HUANG, TONY wrote:
> > > Hi Rob,
> > >
> > > Thanks for the reply.
> > >
> > > User Private Group didn't get migrated. When I login I see
Group
> > number
> > > being a number.
> > >
> > > How do I migrate UPG over?
> >
> > I don't see why they didn't migrate in the first place. Using
> your CLI
> > *only* groups migrated for me, not users, because of the error:
> >
> > tuser: attribute "mepManagedEntry" not allowed
> >
> > I'd suggest the migration command-line at
> > https://www.freeipa.org/page/Howto/Migration
> >
> > rob
> >
> > >
> > > Thanks very much!
> > >
> > >
> > > Tony
> > >
> > >
> > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
wrote:
> > >
> > > Tony Super via FreeIPA-users wrote:
> > > > Hello,
> > > >
> > > > I am trying to migrate from my an IPA server that has
FIPS
> > > disabled to an IPA server that has FIPS enabled. Both
> the old and
> > > the new IPA will have DNS, CA, and etc.
> > > >
> > > > I ran: ipa migrate-ds --bind-dn="cn=Directory
Manager"
> > > --user-container=cn=users,cn=accounts
> > > --group-container=cn=groups,cn=accounts
> > > --group-objectclass=posixgroup
> > > --user-ignore-objectclass=mepOriginEntry --with-compat
> > > ldap://oldipa.server.com <http://oldipa.server.com>
> <http://oldipa.server.com>
> > <http://oldipa.server.com> However, when I
> > > login to a client machine connected to the new IPA
> server, my file
> > > ownership becomes htony : nobody.
> > > >
> > > > What steps have I missed within the migration process?
> > > >
> > > > I've tried exporting cn=groups tree from the old IPA
> server
> > into a
> > > LDIF and imported to the new IPA server, but it did not
> solve the
> > > problem.
> > >
> > > Did your user-private groups migrate? Is there an htony
> group?
> > What is
> > > the group value in getent passwd htony?
> > >
> > > > For everything else, DNS, sudoers, automount, and etc,
> can I
> > > simply export from the old server and import into the
> new server?
> > >
> > > Probably. It's possible you might have to massage some
> of the
> > entries
> > > but I don't know of anything specific.
> > >
> > > > I also have 100+ client machines, is there an easy way
> where
> > I can
> > > unjoin the machines from old-ipa-server and then join to
the
> > > new-ipa-server? (My infrastructure is Ansible-enabled)
> > > Take a look at the ansible-freeipa project (and not
> > freeipa-ansible).
> > >
> > > rob
> > >
> >
>
1:15 p.m.
HUANG, TONY wrote:
Hi Rob,
I've asked Red Hat support, and the support engineer is telling me that
it doesn't support migrating of User Private Group and has pointed me
over to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The support
engineer is also asking me to create new UPG.
It's true that migrating UPG is not possible. The group is converted
into a standard group. You can't create UPG manually by default. I was
curious one day and worked out a way to re-attach a group, but that's a
different problem.
I don't think you've ever said which version of IPA you are migrating
from/to. Versions sometimes can make a big difference.
You also aren't saying what you are doing in between attempts. Are you
fully starting over in between executions or re-running migrate-ds? It
would be truly helpful to see the output of the command when groups fail
to migrate. If it fails it will say so. If it doesn't include the groups
at all then it isn't finding them.
migrate-ds doesn't do anything particularly complicated. It does LDAP
searches for the various objects. For group since you specified
--group-objectclass=posixaccount it's going to search for all of those.
This should be visible in your access log.
This works for me:
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
--user-ignore-objectclass mepOriginEntry
--group-ignore-attribute=mepmanagedby
--group-ignore-objectclass=mepmanagedEntry --with-compat
ldap://ipa.example.test
Now my question is if ipa migrate-ds doesn't support migration of
UPG,
then how do I move forward after running ipa migrate-ds? I currently
have GIDs that don't associate to usernames and group file ownership is
nobody.
Like I said, it doesn't migrate UPG and continue to be UPG, but it will
migrate the groups.
Looking to see if anyone in the community has done an IPA to IPA
migration ...
Have you searched the list archives?
rob
Thanks!
On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
HUANG, TONY wrote:
> I didn't get any errors regarding user private groups at all, and the
> UPGs didn't even get migrated to become regular POSIX UNIX groups
> either. They are just not there, so when I login I see a message
> complaining that /usr/bin/id cannot find my group name.
They may not be reported as errors, just part of the output.
You might also want to look at your private groups in the original IPA
to ensure they have the posixgroup objectclass. That is the search
filter being used.
rob
>
> I've tried importing the entire cn=groups, but it didn't solve the
> missing UPG problem at all.
>
> On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> HUANG, TONY wrote:
> > Rob,
> >
> > I've tried the command from the website below with the same
result.
> > Furthermore, at the FreeIPA to FreeIPA section it states
"The command
> > doesn't migrate user private groups.", which is very strange,
> because my
> > migration becomes more complicated when i have to change group
> ownership
> > and potentially user files.
>
> What means is that after migration the groups are no longer
private.
> They are regular groups.
>
> > Am i doing something wrong here?
>
> What does the output of migrate-ds say about the missing groups?
>
> rob
>
> >
> > Thanks again for your help!
> >
> >
> > Tony
> >
> >
> > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> >
> > HUANG, TONY wrote:
> > > Hi Rob,
> > >
> > > Thanks for the reply.
> > >
> > > User Private Group didn't get migrated. When I login I
see Group
> > number
> > > being a number.
> > >
> > > How do I migrate UPG over?
> >
> > I don't see why they didn't migrate in the first place.
Using
> your CLI
> > *only* groups migrated for me, not users, because of the
error:
> >
> > tuser: attribute "mepManagedEntry" not allowed
> >
> > I'd suggest the migration command-line at
> > https://www.freeipa.org/page/Howto/Migration
> >
> > rob
> >
> > >
> > > Thanks very much!
> > >
> > >
> > > Tony
> > >
> > >
> > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
wrote:
> > >
> > > Tony Super via FreeIPA-users wrote:
> > > > Hello,
> > > >
> > > > I am trying to migrate from my an IPA server
that has FIPS
> > > disabled to an IPA server that has FIPS enabled. Both
> the old and
> > > the new IPA will have DNS, CA, and etc.
> > > >
> > > > I ran: ipa migrate-ds --bind-dn="cn=Directory
Manager"
> > > --user-container=cn=users,cn=accounts
> > > --group-container=cn=groups,cn=accounts
> > > --group-objectclass=posixgroup
> > > --user-ignore-objectclass=mepOriginEntry --with-compat
> > > ldap://oldipa.server.com
<http://oldipa.server.com> <http://oldipa.server.com>
> <http://oldipa.server.com>
> > <http://oldipa.server.com> However, when I
> > > login to a client machine connected to the new IPA
> server, my file
> > > ownership becomes htony : nobody.
> > > >
> > > > What steps have I missed within the migration
process?
> > > >
> > > > I've tried exporting cn=groups tree from the old
IPA
> server
> > into a
> > > LDIF and imported to the new IPA server, but it
did not
> solve the
> > > problem.
> > >
> > > Did your user-private groups migrate? Is there an
htony
> group?
> > What is
> > > the group value in getent passwd htony?
> > >
> > > > For everything else, DNS, sudoers, automount,
and etc,
> can I
> > > simply export from the old server and import into the
> new server?
> > >
> > > Probably. It's possible you might have to massage
some
> of the
> > entries
> > > but I don't know of anything specific.
> > >
> > > > I also have 100+ client machines, is there an
easy way
> where
> > I can
> > > unjoin the machines from old-ipa-server and then
join to the
> > > new-ipa-server? (My infrastructure is Ansible-enabled)
> > > Take a look at the ansible-freeipa project (and not
> > freeipa-ansible).
> > >
> > > rob
> > >
> >
>
2 p.m.
Hi Rob,
I have been starting from scratch. I will check my logs again. My
environment is disconnected from the Internet and I can't easily copy and
paste to the thread. My IPA version is the same going from the old to the
new (4.8 I believe). The reason I had to do IPA to IPA migration is because
my old one is not FIPS enabled where as my new one is FIPS enabled,
therefore, I can't just replicate it by promoting it
When your "ipa migrate-ds" worked for you, did you also get nobody as your
group ownership to the files in your home directory? Similar to when I
login to the client machine connected to the newly migrated IPA server, I
get /usr/bin/id Cannot find name with GID 6314001, and ls - l /home/htony
shows htony : nobody on all of my files and directories.
Red Hat support is telling me to delete the users and re-create them ..
which defeats the purpose of running ipa migrate-ds ... and I have many
users and home directories on a NFS share.
I am fine if there is no way to do this migration easily, but before coming
to that conclusion I am trying to find a way forward.
Thanks again!
--Tony
On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> I've asked Red Hat support, and the support engineer is telling me that
> it doesn't support migrating of User Private Group and has pointed me
> over to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The support
> engineer is also asking me to create new UPG.
It's true that migrating UPG is not possible. The group is converted
into a standard group. You can't create UPG manually by default. I was
curious one day and worked out a way to re-attach a group, but that's a
different problem.
I don't think you've ever said which version of IPA you are migrating
from/to. Versions sometimes can make a big difference.
You also aren't saying what you are doing in between attempts. Are you
fully starting over in between executions or re-running migrate-ds? It
would be truly helpful to see the output of the command when groups fail
to migrate. If it fails it will say so. If it doesn't include the groups
at all then it isn't finding them.
migrate-ds doesn't do anything particularly complicated. It does LDAP
searches for the various objects. For group since you specified
--group-objectclass=posixaccount it's going to search for all of those.
This should be visible in your access log.
This works for me:
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
--user-ignore-objectclass mepOriginEntry
--group-ignore-attribute=mepmanagedby
--group-ignore-objectclass=mepmanagedEntry --with-compat
ldap://ipa.example.test
> Now my question is if ipa migrate-ds doesn't support migration of UPG,
> then how do I move forward after running ipa migrate-ds? I currently
> have GIDs that don't associate to usernames and group file ownership is
> nobody.
Like I said, it doesn't migrate UPG and continue to be UPG, but it will
migrate the groups.
> Looking to see if anyone in the community has done an IPA to IPA
> migration ...
Have you searched the list archives?
rob
>
> Thanks!
>
> On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> HUANG, TONY wrote:
> > I didn't get any errors regarding user private groups at all, and
the
> > UPGs didn't even get migrated to become regular POSIX UNIX groups
> > either. They are just not there, so when I login I see a message
> > complaining that /usr/bin/id cannot find my group name.
>
> They may not be reported as errors, just part of the output.
>
> You might also want to look at your private groups in the original
IPA
> to ensure they have the posixgroup objectclass. That is the search
> filter being used.
>
> rob
>
> >
> > I've tried importing the entire cn=groups, but it didn't solve the
> > missing UPG problem at all.
> >
> > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
> >
> > HUANG, TONY wrote:
> > > Rob,
> > >
> > > I've tried the command from the website below with the same
> result.
> > > Furthermore, at the FreeIPA to FreeIPA section it states
> "The command
> > > doesn't migrate user private groups.", which is very
strange,
> > because my
> > > migration becomes more complicated when i have to change
group
> > ownership
> > > and potentially user files.
> >
> > What means is that after migration the groups are no longer
> private.
> > They are regular groups.
> >
> > > Am i doing something wrong here?
> >
> > What does the output of migrate-ds say about the missing
groups?
> >
> > rob
> >
> > >
> > > Thanks again for your help!
> > >
> > >
> > > Tony
> > >
> > >
> > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
wrote:
> > >
> > > HUANG, TONY wrote:
> > > > Hi Rob,
> > > >
> > > > Thanks for the reply.
> > > >
> > > > User Private Group didn't get migrated. When I login
I
> see Group
> > > number
> > > > being a number.
> > > >
> > > > How do I migrate UPG over?
> > >
> > > I don't see why they didn't migrate in the first
place.
> Using
> > your CLI
> > > *only* groups migrated for me, not users, because of the
> error:
> > >
> > > tuser: attribute "mepManagedEntry" not allowed
> > >
> > > I'd suggest the migration command-line at
> > > https://www.freeipa.org/page/Howto/Migration
> > >
> > > rob
> > >
> > > >
> > > > Thanks very much!
> > > >
> > > >
> > > > Tony
> > > >
> > > >
> > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>> wrote:
> > > >
> > > > Tony Super via FreeIPA-users wrote:
> > > > > Hello,
> > > > >
> > > > > I am trying to migrate from my an IPA server
> that has FIPS
> > > > disabled to an IPA server that has FIPS enabled.
Both
> > the old and
> > > > the new IPA will have DNS, CA, and etc.
> > > > >
> > > > > I ran: ipa migrate-ds
--bind-dn="cn=Directory
> Manager"
> > > > --user-container=cn=users,cn=accounts
> > > > --group-container=cn=groups,cn=accounts
> > > > --group-objectclass=posixgroup
> > > > --user-ignore-objectclass=mepOriginEntry
--with-compat
> > > > ldap://oldipa.server.com
> <http://oldipa.server.com> <http://oldipa.server.com>
> > <http://oldipa.server.com>
> > > <http://oldipa.server.com> However, when I
> > > > login to a client machine connected to the new IPA
> > server, my file
> > > > ownership becomes htony : nobody.
> > > > >
> > > > > What steps have I missed within the migration
> process?
> > > > >
> > > > > I've tried exporting cn=groups tree from the
old
IPA
> > server
> > > into a
> > > > LDIF and imported to the new IPA server, but it
> did not
> > solve the
> > > > problem.
> > > >
> > > > Did your user-private groups migrate? Is there an
> htony
> > group?
> > > What is
> > > > the group value in getent passwd htony?
> > > >
> > > > > For everything else, DNS, sudoers, automount,
> and etc,
> > can I
> > > > simply export from the old server and import into
the
> > new server?
> > > >
> > > > Probably. It's possible you might have to
massage
some
> > of the
> > > entries
> > > > but I don't know of anything specific.
> > > >
> > > > > I also have 100+ client machines, is there an
> easy way
> > where
> > > I can
> > > > unjoin the machines from old-ipa-server and then
> join to the
> > > > new-ipa-server? (My infrastructure is
Ansible-enabled)
> > > > Take a look at the ansible-freeipa project (and not
> > > freeipa-ansible).
> > > >
> > > > rob
> > > >
> > >
> >
>
12:11 p.m.
HUANG, TONY wrote:
Hi Rob,
I have been starting from scratch. I will check my logs again. My
environment is disconnected from the Internet and I can't easily copy
and paste to the thread. My IPA version is the same going from the old
to the new (4.8 I believe). The reason I had to do IPA to IPA migration
is because my old one is not FIPS enabled where as my new one is FIPS
enabled, therefore, I can't just replicate it by promoting it
When your "ipa migrate-ds" worked for you, did you also get nobody as
your group ownership to the files in your home directory? Similar to
when I login to the client machine connected to the newly migrated IPA
server, I get /usr/bin/id Cannot find name with GID 6314001, and ls - l
/home/htony shows htony : nobody on all of my files and directories.
No, everything is looking fine. The nss commands like getent and id all
show the properly resolved group names.
Red Hat support is telling me to delete the users and re-create them
..
which defeats the purpose of running ipa migrate-ds ... and I have many
users and home directories on a NFS share.
They may be confused by UPG. There currently no way to add a UPG to an
existing user, so re-creating the user is the only way.
I am fine if there is no way to do this migration easily, but before
coming to that conclusion I am trying to find a way forward.
It's hard to help without seeing what is going on beyond the symptom.
Like I said, the migration cli I provided works for me.
rob
Thanks again!
--Tony
On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> I've asked Red Hat support, and the support engineer is telling me
that
> it doesn't support migrating of User Private Group and has pointed me
> over to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The
support
> engineer is also asking me to create new UPG.
It's true that migrating UPG is not possible. The group is converted
into a standard group. You can't create UPG manually by default. I was
curious one day and worked out a way to re-attach a group, but that's a
different problem.
I don't think you've ever said which version of IPA you are migrating
from/to. Versions sometimes can make a big difference.
You also aren't saying what you are doing in between attempts. Are you
fully starting over in between executions or re-running migrate-ds? It
would be truly helpful to see the output of the command when groups fail
to migrate. If it fails it will say so. If it doesn't include the groups
at all then it isn't finding them.
migrate-ds doesn't do anything particularly complicated. It does LDAP
searches for the various objects. For group since you specified
--group-objectclass=posixaccount it's going to search for all of those.
This should be visible in your access log.
This works for me:
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
--user-ignore-objectclass mepOriginEntry
--group-ignore-attribute=mepmanagedby
--group-ignore-objectclass=mepmanagedEntry --with-compat
ldap://ipa.example.test
> Now my question is if ipa migrate-ds doesn't support migration of UPG,
> then how do I move forward after running ipa migrate-ds? I currently
> have GIDs that don't associate to usernames and group file
ownership is
> nobody.
Like I said, it doesn't migrate UPG and continue to be UPG, but it will
migrate the groups.
> Looking to see if anyone in the community has done an IPA to IPA
> migration ...
Have you searched the list archives?
rob
>
> Thanks!
>
> On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> HUANG, TONY wrote:
> > I didn't get any errors regarding user private groups at
all, and the
> > UPGs didn't even get migrated to become regular POSIX UNIX
groups
> > either. They are just not there, so when I login I see a message
> > complaining that /usr/bin/id cannot find my group name.
>
> They may not be reported as errors, just part of the output.
>
> You might also want to look at your private groups in the
original IPA
> to ensure they have the posixgroup objectclass. That is the search
> filter being used.
>
> rob
>
> >
> > I've tried importing the entire cn=groups, but it didn't
solve the
> > missing UPG problem at all.
> >
> > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> >
> > HUANG, TONY wrote:
> > > Rob,
> > >
> > > I've tried the command from the website below with the
same
> result.
> > > Furthermore, at the FreeIPA to FreeIPA section it states
> "The command
> > > doesn't migrate user private groups.", which is
very strange,
> > because my
> > > migration becomes more complicated when i have to
change group
> > ownership
> > > and potentially user files.
> >
> > What means is that after migration the groups are no longer
> private.
> > They are regular groups.
> >
> > > Am i doing something wrong here?
> >
> > What does the output of migrate-ds say about the missing
groups?
> >
> > rob
> >
> > >
> > > Thanks again for your help!
> > >
> > >
> > > Tony
> > >
> > >
> > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
wrote:
> > >
> > > HUANG, TONY wrote:
> > > > Hi Rob,
> > > >
> > > > Thanks for the reply.
> > > >
> > > > User Private Group didn't get migrated. When I
login I
> see Group
> > > number
> > > > being a number.
> > > >
> > > > How do I migrate UPG over?
> > >
> > > I don't see why they didn't migrate in the first
place.
> Using
> > your CLI
> > > *only* groups migrated for me, not users, because
of the
> error:
> > >
> > > tuser: attribute "mepManagedEntry" not
allowed
> > >
> > > I'd suggest the migration command-line at
> > > https://www.freeipa.org/page/Howto/Migration
> > >
> > > rob
> > >
> > > >
> > > > Thanks very much!
> > > >
> > > >
> > > > Tony
> > > >
> > > >
> > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>>
wrote:
> > > >
> > > > Tony Super via FreeIPA-users wrote:
> > > > > Hello,
> > > > >
> > > > > I am trying to migrate from my an IPA
server
> that has FIPS
> > > > disabled to an IPA server that has FIPS
enabled. Both
> > the old and
> > > > the new IPA will have DNS, CA, and etc.
> > > > >
> > > > > I ran: ipa migrate-ds
--bind-dn="cn=Directory
> Manager"
> > > > --user-container=cn=users,cn=accounts
> > > > --group-container=cn=groups,cn=accounts
> > > > --group-objectclass=posixgroup
> > > > --user-ignore-objectclass=mepOriginEntry
--with-compat
> > > > ldap://oldipa.server.com
<http://oldipa.server.com>
> <http://oldipa.server.com> <http://oldipa.server.com>
> > <http://oldipa.server.com>
> > > <http://oldipa.server.com> However, when I
> > > > login to a client machine connected to the
new IPA
> > server, my file
> > > > ownership becomes htony : nobody.
> > > > >
> > > > > What steps have I missed within the
migration
> process?
> > > > >
> > > > > I've tried exporting cn=groups tree
from
the old IPA
> > server
> > > into a
> > > > LDIF and imported to the new IPA server, but it
> did not
> > solve the
> > > > problem.
> > > >
> > > > Did your user-private groups migrate? Is
there an
> htony
> > group?
> > > What is
> > > > the group value in getent passwd htony?
> > > >
> > > > > For everything else, DNS, sudoers,
automount,
> and etc,
> > can I
> > > > simply export from the old server and import
into the
> > new server?
> > > >
> > > > Probably. It's possible you might have to
massage some
> > of the
> > > entries
> > > > but I don't know of anything specific.
> > > >
> > > > > I also have 100+ client machines, is there
an
> easy way
> > where
> > > I can
> > > > unjoin the machines from old-ipa-server and then
> join to the
> > > > new-ipa-server? (My infrastructure is
Ansible-enabled)
> > > > Take a look at the ansible-freeipa project
(and not
> > > freeipa-ansible).
> > > >
> > > > rob
> > > >
> > >
> >
>
12:45 p.m.
Hi Rob,
Just curious, does your old-ipa-server have User Private Group disabled or
enabled? Same question goes for your newly migrated IPA server.
I may end up disabling the use of User Private Group on the new server and
default everyone to "ipausers" Group.
I'll see what I can do about getting the logs out.
Thanks very much Rob!
Tony
On Wed, Apr 12, 2023, 10:11 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> I have been starting from scratch. I will check my logs again. My
> environment is disconnected from the Internet and I can't easily copy
> and paste to the thread. My IPA version is the same going from the old
> to the new (4.8 I believe). The reason I had to do IPA to IPA migration
> is because my old one is not FIPS enabled where as my new one is FIPS
> enabled, therefore, I can't just replicate it by promoting it
>
> When your "ipa migrate-ds" worked for you, did you also get nobody as
> your group ownership to the files in your home directory? Similar to
> when I login to the client machine connected to the newly migrated IPA
> server, I get /usr/bin/id Cannot find name with GID 6314001, and ls - l
> /home/htony shows htony : nobody on all of my files and directories.
No, everything is looking fine. The nss commands like getent and id all
show the properly resolved group names.
> Red Hat support is telling me to delete the users and re-create them ..
> which defeats the purpose of running ipa migrate-ds ... and I have many
> users and home directories on a NFS share.
They may be confused by UPG. There currently no way to add a UPG to an
existing user, so re-creating the user is the only way.
> I am fine if there is no way to do this migration easily, but before
> coming to that conclusion I am trying to find a way forward.
It's hard to help without seeing what is going on beyond the symptom.
Like I said, the migration cli I provided works for me.
rob
>
> Thanks again!
>
> --Tony
>
>
> On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> HUANG, TONY wrote:
> > Hi Rob,
> >
> > I've asked Red Hat support, and the support engineer is telling me
> that
> > it doesn't support migrating of User Private Group and has pointed
me
> > over to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The
> support
> > engineer is also asking me to create new UPG.
>
> It's true that migrating UPG is not possible. The group is converted
> into a standard group. You can't create UPG manually by default. I
was
> curious one day and worked out a way to re-attach a group, but
that's a
> different problem.
>
> I don't think you've ever said which version of IPA you are migrating
> from/to. Versions sometimes can make a big difference.
>
> You also aren't saying what you are doing in between attempts. Are
you
> fully starting over in between executions or re-running migrate-ds?
It
> would be truly helpful to see the output of the command when groups
fail
> to migrate. If it fails it will say so. If it doesn't include the
groups
> at all then it isn't finding them.
>
> migrate-ds doesn't do anything particularly complicated. It does LDAP
> searches for the various objects. For group since you specified
> --group-objectclass=posixaccount it's going to search for all of
those.
> This should be visible in your access log.
>
> This works for me:
>
> ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup
>
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass mepOriginEntry
> --group-ignore-attribute=mepmanagedby
> --group-ignore-objectclass=mepmanagedEntry --with-compat
> ldap://ipa.example.test
>
> > Now my question is if ipa migrate-ds doesn't support migration of
UPG,
> > then how do I move forward after running ipa migrate-ds? I
currently
> > have GIDs that don't associate to usernames and group file
> ownership is
> > nobody.
>
> Like I said, it doesn't migrate UPG and continue to be UPG, but it
will
> migrate the groups.
>
> > Looking to see if anyone in the community has done an IPA to IPA
> > migration ...
>
> Have you searched the list archives?
>
> rob
>
> >
> > Thanks!
> >
> > On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
> >
> > HUANG, TONY wrote:
> > > I didn't get any errors regarding user private groups at
> all, and the
> > > UPGs didn't even get migrated to become regular POSIX UNIX
> groups
> > > either. They are just not there, so when I login I see a
message
> > > complaining that /usr/bin/id cannot find my group name.
> >
> > They may not be reported as errors, just part of the output.
> >
> > You might also want to look at your private groups in the
> original IPA
> > to ensure they have the posixgroup objectclass. That is the
search
> > filter being used.
> >
> > rob
> >
> > >
> > > I've tried importing the entire cn=groups, but it didn't
> solve the
> > > missing UPG problem at all.
> > >
> > > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
wrote:
> > >
> > > HUANG, TONY wrote:
> > > > Rob,
> > > >
> > > > I've tried the command from the website below with
the
> same
> > result.
> > > > Furthermore, at the FreeIPA to FreeIPA section it
states
> > "The command
> > > > doesn't migrate user private groups.", which is
> very strange,
> > > because my
> > > > migration becomes more complicated when i have to
> change group
> > > ownership
> > > > and potentially user files.
> > >
> > > What means is that after migration the groups are no
longer
> > private.
> > > They are regular groups.
> > >
> > > > Am i doing something wrong here?
> > >
> > > What does the output of migrate-ds say about the missing
> groups?
> > >
> > > rob
> > >
> > > >
> > > > Thanks again for your help!
> > > >
> > > >
> > > > Tony
> > > >
> > > >
> > > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>> wrote:
> > > >
> > > > HUANG, TONY wrote:
> > > > > Hi Rob,
> > > > >
> > > > > Thanks for the reply.
> > > > >
> > > > > User Private Group didn't get migrated. When
I
> login I
> > see Group
> > > > number
> > > > > being a number.
> > > > >
> > > > > How do I migrate UPG over?
> > > >
> > > > I don't see why they didn't migrate in the
first
> place.
> > Using
> > > your CLI
> > > > *only* groups migrated for me, not users, because
> of the
> > error:
> > > >
> > > > tuser: attribute "mepManagedEntry" not
allowed
> > > >
> > > > I'd suggest the migration command-line at
> > > > https://www.freeipa.org/page/Howto/Migration
> > > >
> > > > rob
> > > >
> > > > >
> > > > > Thanks very much!
> > > > >
> > > > >
> > > > > Tony
> > > > >
> > > > >
> > > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden
> > > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>> wrote:
> > > > >
> > > > > Tony Super via FreeIPA-users wrote:
> > > > > > Hello,
> > > > > >
> > > > > > I am trying to migrate from my an IPA
server
> > that has FIPS
> > > > > disabled to an IPA server that has FIPS
> enabled. Both
> > > the old and
> > > > > the new IPA will have DNS, CA, and etc.
> > > > > >
> > > > > > I ran: ipa migrate-ds
--bind-dn="cn=Directory
> > Manager"
> > > > > --user-container=cn=users,cn=accounts
> > > > > --group-container=cn=groups,cn=accounts
> > > > > --group-objectclass=posixgroup
> > > > > --user-ignore-objectclass=mepOriginEntry
> --with-compat
> > > > > ldap://oldipa.server.com
> <http://oldipa.server.com>
> > <http://oldipa.server.com> <http://oldipa.server.com>
> > > <http://oldipa.server.com>
> > > > <http://oldipa.server.com> However, when I
> > > > > login to a client machine connected to the
> new IPA
> > > server, my file
> > > > > ownership becomes htony : nobody.
> > > > > >
> > > > > > What steps have I missed within the
migration
> > process?
> > > > > >
> > > > > > I've tried exporting cn=groups tree
from
> the old IPA
> > > server
> > > > into a
> > > > > LDIF and imported to the new IPA server,
but
it
> > did not
> > > solve the
> > > > > problem.
> > > > >
> > > > > Did your user-private groups migrate? Is
> there an
> > htony
> > > group?
> > > > What is
> > > > > the group value in getent passwd htony?
> > > > >
> > > > > > For everything else, DNS, sudoers,
automount,
> > and etc,
> > > can I
> > > > > simply export from the old server and
import
> into the
> > > new server?
> > > > >
> > > > > Probably. It's possible you might have
to
> massage some
> > > of the
> > > > entries
> > > > > but I don't know of anything specific.
> > > > >
> > > > > > I also have 100+ client machines, is
there
an
> > easy way
> > > where
> > > > I can
> > > > > unjoin the machines from old-ipa-server and
then
> > join to the
> > > > > new-ipa-server? (My infrastructure is
> Ansible-enabled)
> > > > > Take a look at the ansible-freeipa project
> (and not
> > > > freeipa-ansible).
> > > > >
> > > > > rob
> > > > >
> > > >
> > >
> >
>
8:39 a.m.
HUANG, TONY wrote:
Hi Rob,
Just curious, does your old-ipa-server have User Private Group disabled
or enabled? Same question goes for your newly migrated IPA server.
Enabled on both.
I may end up disabling the use of User Private Group on the new
server
and default everyone to "ipausers" Group.
I wouldn't get hung up on UPG. Internally it's a bit of a trick to have
a group without allowing other members. The user and group are linked by
the 389-ds managed entry plugin so that if owner (user) is removed, the
group goes with it.
Migration doesn't know how to deal with this, because it's IPA-specific
and it is more geared towards generic LDAP, so the mep* attributes and
objectclasses need to be dropped and it essentially converts the private
group into a general one.
But this isn't your problem, I don't think. What you've been saying is
that the groups don't transfer at all.
rob
I'll see what I can do about getting the logs out.
Thanks very much Rob!
Tony
On Wed, Apr 12, 2023, 10:11 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> I have been starting from scratch. I will check my logs again. My
> environment is disconnected from the Internet and I can't easily copy
> and paste to the thread. My IPA version is the same going from the old
> to the new (4.8 I believe). The reason I had to do IPA to IPA
migration
> is because my old one is not FIPS enabled where as my new one is FIPS
> enabled, therefore, I can't just replicate it by promoting it
>
> When your "ipa migrate-ds" worked for you, did you also get nobody as
> your group ownership to the files in your home directory? Similar to
> when I login to the client machine connected to the newly migrated IPA
> server, I get /usr/bin/id Cannot find name with GID 6314001, and
ls - l
> /home/htony shows htony : nobody on all of my files and directories.
No, everything is looking fine. The nss commands like getent and id all
show the properly resolved group names.
> Red Hat support is telling me to delete the users and re-create
them ..
> which defeats the purpose of running ipa migrate-ds ... and I have
many
> users and home directories on a NFS share.
They may be confused by UPG. There currently no way to add a UPG to an
existing user, so re-creating the user is the only way.
> I am fine if there is no way to do this migration easily, but before
> coming to that conclusion I am trying to find a way forward.
It's hard to help without seeing what is going on beyond the symptom.
Like I said, the migration cli I provided works for me.
rob
>
> Thanks again!
>
> --Tony
>
>
> On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> HUANG, TONY wrote:
> > Hi Rob,
> >
> > I've asked Red Hat support, and the support engineer is
telling me
> that
> > it doesn't support migrating of User Private Group and has
pointed me
> > over to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The
> support
> > engineer is also asking me to create new UPG.
>
> It's true that migrating UPG is not possible. The group is
converted
> into a standard group. You can't create UPG manually by
default. I was
> curious one day and worked out a way to re-attach a group, but
that's a
> different problem.
>
> I don't think you've ever said which version of IPA you are
migrating
> from/to. Versions sometimes can make a big difference.
>
> You also aren't saying what you are doing in between attempts.
Are you
> fully starting over in between executions or re-running
migrate-ds? It
> would be truly helpful to see the output of the command when
groups fail
> to migrate. If it fails it will say so. If it doesn't include
the groups
> at all then it isn't finding them.
>
> migrate-ds doesn't do anything particularly complicated. It
does LDAP
> searches for the various objects. For group since you specified
> --group-objectclass=posixaccount it's going to search for all
of those.
> This should be visible in your access log.
>
> This works for me:
>
> ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup
>
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass mepOriginEntry
> --group-ignore-attribute=mepmanagedby
> --group-ignore-objectclass=mepmanagedEntry --with-compat
> ldap://ipa.example.test
>
> > Now my question is if ipa migrate-ds doesn't support
migration of UPG,
> > then how do I move forward after running ipa migrate-ds? I
currently
> > have GIDs that don't associate to usernames and group file
> ownership is
> > nobody.
>
> Like I said, it doesn't migrate UPG and continue to be UPG,
but it will
> migrate the groups.
>
> > Looking to see if anyone in the community has done an IPA to IPA
> > migration ...
>
> Have you searched the list archives?
>
> rob
>
> >
> > Thanks!
> >
> > On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> >
> > HUANG, TONY wrote:
> > > I didn't get any errors regarding user private groups at
> all, and the
> > > UPGs didn't even get migrated to become regular POSIX
UNIX
> groups
> > > either. They are just not there, so when I login I see
a message
> > > complaining that /usr/bin/id cannot find my group name.
> >
> > They may not be reported as errors, just part of the output.
> >
> > You might also want to look at your private groups in the
> original IPA
> > to ensure they have the posixgroup objectclass. That is
the search
> > filter being used.
> >
> > rob
> >
> > >
> > > I've tried importing the entire cn=groups, but it
didn't
> solve the
> > > missing UPG problem at all.
> > >
> > > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
wrote:
> > >
> > > HUANG, TONY wrote:
> > > > Rob,
> > > >
> > > > I've tried the command from the website below
with the
> same
> > result.
> > > > Furthermore, at the FreeIPA to FreeIPA section
it states
> > "The command
> > > > doesn't migrate user private groups.", which
is
> very strange,
> > > because my
> > > > migration becomes more complicated when i have to
> change group
> > > ownership
> > > > and potentially user files.
> > >
> > > What means is that after migration the groups are
no longer
> > private.
> > > They are regular groups.
> > >
> > > > Am i doing something wrong here?
> > >
> > > What does the output of migrate-ds say about the
missing
> groups?
> > >
> > > rob
> > >
> > > >
> > > > Thanks again for your help!
> > > >
> > > >
> > > > Tony
> > > >
> > > >
> > > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>>
wrote:
> > > >
> > > > HUANG, TONY wrote:
> > > > > Hi Rob,
> > > > >
> > > > > Thanks for the reply.
> > > > >
> > > > > User Private Group didn't get migrated.
When I
> login I
> > see Group
> > > > number
> > > > > being a number.
> > > > >
> > > > > How do I migrate UPG over?
> > > >
> > > > I don't see why they didn't migrate in
the first
> place.
> > Using
> > > your CLI
> > > > *only* groups migrated for me, not users,
because
> of the
> > error:
> > > >
> > > > tuser: attribute "mepManagedEntry"
not allowed
> > > >
> > > > I'd suggest the migration command-line at
> > > > https://www.freeipa.org/page/Howto/Migration
> > > >
> > > > rob
> > > >
> > > > >
> > > > > Thanks very much!
> > > > >
> > > > >
> > > > > Tony
> > > > >
> > > > >
> > > > > On Mon, Apr 10, 2023, 7:34 AM Rob
Crittenden
> > > <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
> > > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>>> wrote:
> > > > >
> > > > > Tony Super via FreeIPA-users wrote:
> > > > > > Hello,
> > > > > >
> > > > > > I am trying to migrate from my an
IPA server
> > that has FIPS
> > > > > disabled to an IPA server that has FIPS
> enabled. Both
> > > the old and
> > > > > the new IPA will have DNS, CA, and etc.
> > > > > >
> > > > > > I ran: ipa migrate-ds
--bind-dn="cn=Directory
> > Manager"
> > > > > --user-container=cn=users,cn=accounts
> > > > > --group-container=cn=groups,cn=accounts
> > > > > --group-objectclass=posixgroup
> > > > >
--user-ignore-objectclass=mepOriginEntry
> --with-compat
> > > > > ldap://oldipa.server.com
<http://oldipa.server.com>
> <http://oldipa.server.com>
> > <http://oldipa.server.com> <http://oldipa.server.com>
> > > <http://oldipa.server.com>
> > > > <http://oldipa.server.com> However, when I
> > > > > login to a client machine connected to
the
> new IPA
> > > server, my file
> > > > > ownership becomes htony : nobody.
> > > > > >
> > > > > > What steps have I missed within
the
migration
> > process?
> > > > > >
> > > > > > I've tried exporting cn=groups
tree from
> the old IPA
> > > server
> > > > into a
> > > > > LDIF and imported to the new IPA
server, but it
> > did not
> > > solve the
> > > > > problem.
> > > > >
> > > > > Did your user-private groups migrate?
Is
> there an
> > htony
> > > group?
> > > > What is
> > > > > the group value in getent passwd htony?
> > > > >
> > > > > > For everything else, DNS, sudoers,
automount,
> > and etc,
> > > can I
> > > > > simply export from the old server and
import
> into the
> > > new server?
> > > > >
> > > > > Probably. It's possible you might
have to
> massage some
> > > of the
> > > > entries
> > > > > but I don't know of anything
specific.
> > > > >
> > > > > > I also have 100+ client machines,
is
there an
> > easy way
> > > where
> > > > I can
> > > > > unjoin the machines from
old-ipa-server and then
> > join to the
> > > > > new-ipa-server? (My infrastructure is
> Ansible-enabled)
> > > > > Take a look at the ansible-freeipa
project
> (and not
> > > > freeipa-ansible).
> > > > >
> > > > > rob
> > > > >
> > > >
> > >
> >
>
1:06 a.m.
Hello Rob,
I just want to provide feedback that your command worked. I must have done
something wrong initially. I am able to migrate all of the user private
groups over to the new IPA - although it all became regular POSIX groups,
at least I don't have to change permissions for 500+ users. Thanks very
much!
Now my next goal is to try to do "ipa migrate-ds ..." into an Ansible task
after a brand new IPA server install. Will be interesting to see how I can
run this in an idempotent way ...
Thanks Rob!
--Tony
On Thu, Apr 13, 2023 at 6:39 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> Just curious, does your old-ipa-server have User Private Group disabled
> or enabled? Same question goes for your newly migrated IPA server.
Enabled on both.
> I may end up disabling the use of User Private Group on the new server
> and default everyone to "ipausers" Group.
I wouldn't get hung up on UPG. Internally it's a bit of a trick to have
a group without allowing other members. The user and group are linked by
the 389-ds managed entry plugin so that if owner (user) is removed, the
group goes with it.
Migration doesn't know how to deal with this, because it's IPA-specific
and it is more geared towards generic LDAP, so the mep* attributes and
objectclasses need to be dropped and it essentially converts the private
group into a general one.
But this isn't your problem, I don't think. What you've been saying is
that the groups don't transfer at all.
rob
> I'll see what I can do about getting the logs out.
>
> Thanks very much Rob!
>
>
> Tony
>
> On Wed, Apr 12, 2023, 10:11 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> HUANG, TONY wrote:
> > Hi Rob,
> >
> > I have been starting from scratch. I will check my logs again. My
> > environment is disconnected from the Internet and I can't easily
copy
> > and paste to the thread. My IPA version is the same going from the
old
> > to the new (4.8 I believe). The reason I had to do IPA to IPA
> migration
> > is because my old one is not FIPS enabled where as my new one is
FIPS
> > enabled, therefore, I can't just replicate it by promoting it
> >
> > When your "ipa migrate-ds" worked for you, did you also get
nobody
as
> > your group ownership to the files in your home directory? Similar
to
> > when I login to the client machine connected to the newly migrated
IPA
> > server, I get /usr/bin/id Cannot find name with GID 6314001, and
> ls - l
> > /home/htony shows htony : nobody on all of my files and
directories.
>
> No, everything is looking fine. The nss commands like getent and id
all
> show the properly resolved group names.
>
> > Red Hat support is telling me to delete the users and re-create
> them ..
> > which defeats the purpose of running ipa migrate-ds ... and I have
> many
> > users and home directories on a NFS share.
>
> They may be confused by UPG. There currently no way to add a UPG to
an
> existing user, so re-creating the user is the only way.
>
> > I am fine if there is no way to do this migration easily, but
before
> > coming to that conclusion I am trying to find a way forward.
>
> It's hard to help without seeing what is going on beyond the symptom.
> Like I said, the migration cli I provided works for me.
>
> rob
>
> >
> > Thanks again!
> >
> > --Tony
> >
> >
> > On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
> >
> > HUANG, TONY wrote:
> > > Hi Rob,
> > >
> > > I've asked Red Hat support, and the support engineer is
> telling me
> > that
> > > it doesn't support migrating of User Private Group and has
> pointed me
> > > over to https://bugzilla.redhat.com/show_bug.cgi?id=1261536
The
> > support
> > > engineer is also asking me to create new UPG.
> >
> > It's true that migrating UPG is not possible. The group is
> converted
> > into a standard group. You can't create UPG manually by
> default. I was
> > curious one day and worked out a way to re-attach a group, but
> that's a
> > different problem.
> >
> > I don't think you've ever said which version of IPA you are
> migrating
> > from/to. Versions sometimes can make a big difference.
> >
> > You also aren't saying what you are doing in between attempts.
> Are you
> > fully starting over in between executions or re-running
> migrate-ds? It
> > would be truly helpful to see the output of the command when
> groups fail
> > to migrate. If it fails it will say so. If it doesn't include
> the groups
> > at all then it isn't finding them.
> >
> > migrate-ds doesn't do anything particularly complicated. It
> does LDAP
> > searches for the various objects. For group since you specified
> > --group-objectclass=posixaccount it's going to search for all
> of those.
> > This should be visible in your access log.
> >
> > This works for me:
> >
> > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > --user-container=cn=users,cn=accounts
> > --group-container=cn=groups,cn=accounts
> --group-objectclass=posixgroup
> >
>
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > --user-ignore-objectclass mepOriginEntry
> > --group-ignore-attribute=mepmanagedby
> > --group-ignore-objectclass=mepmanagedEntry --with-compat
> > ldap://ipa.example.test
> >
> > > Now my question is if ipa migrate-ds doesn't support
> migration of UPG,
> > > then how do I move forward after running ipa migrate-ds? I
> currently
> > > have GIDs that don't associate to usernames and group file
> > ownership is
> > > nobody.
> >
> > Like I said, it doesn't migrate UPG and continue to be UPG,
> but it will
> > migrate the groups.
> >
> > > Looking to see if anyone in the community has done an IPA to
IPA
> > > migration ...
> >
> > Have you searched the list archives?
> >
> > rob
> >
> > >
> > > Thanks!
> > >
> > > On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
wrote:
> > >
> > > HUANG, TONY wrote:
> > > > I didn't get any errors regarding user private
groups
at
> > all, and the
> > > > UPGs didn't even get migrated to become regular
POSIX
UNIX
> > groups
> > > > either. They are just not there, so when I login I see
> a message
> > > > complaining that /usr/bin/id cannot find my group name.
> > >
> > > They may not be reported as errors, just part of the
output.
> > >
> > > You might also want to look at your private groups in the
> > original IPA
> > > to ensure they have the posixgroup objectclass. That is
> the search
> > > filter being used.
> > >
> > > rob
> > >
> > > >
> > > > I've tried importing the entire cn=groups, but it
didn't
> > solve the
> > > > missing UPG problem at all.
> > > >
> > > > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>> wrote:
> > > >
> > > > HUANG, TONY wrote:
> > > > > Rob,
> > > > >
> > > > > I've tried the command from the website
below
> with the
> > same
> > > result.
> > > > > Furthermore, at the FreeIPA to FreeIPA section
> it states
> > > "The command
> > > > > doesn't migrate user private groups.",
which is
> > very strange,
> > > > because my
> > > > > migration becomes more complicated when i have
to
> > change group
> > > > ownership
> > > > > and potentially user files.
> > > >
> > > > What means is that after migration the groups are
> no longer
> > > private.
> > > > They are regular groups.
> > > >
> > > > > Am i doing something wrong here?
> > > >
> > > > What does the output of migrate-ds say about the
> missing
> > groups?
> > > >
> > > > rob
> > > >
> > > > >
> > > > > Thanks again for your help!
> > > > >
> > > > >
> > > > > Tony
> > > > >
> > > > >
> > > > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden
> > > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>> wrote:
> > > > >
> > > > > HUANG, TONY wrote:
> > > > > > Hi Rob,
> > > > > >
> > > > > > Thanks for the reply.
> > > > > >
> > > > > > User Private Group didn't get
migrated.
When I
> > login I
> > > see Group
> > > > > number
> > > > > > being a number.
> > > > > >
> > > > > > How do I migrate UPG over?
> > > > >
> > > > > I don't see why they didn't migrate
in the
first
> > place.
> > > Using
> > > > your CLI
> > > > > *only* groups migrated for me, not users,
> because
> > of the
> > > error:
> > > > >
> > > > > tuser: attribute
"mepManagedEntry" not
allowed
> > > > >
> > > > > I'd suggest the migration command-line
at
> > > > >
https://www.freeipa.org/page/Howto/Migration
> > > > >
> > > > > rob
> > > > >
> > > > > >
> > > > > > Thanks very much!
> > > > > >
> > > > > >
> > > > > > Tony
> > > > > >
> > > > > >
> > > > > > On Mon, Apr 10, 2023, 7:34 AM Rob
Crittenden
> > > > <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>
> > > > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
> <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>>>
wrote:
> > > > > >
> > > > > > Tony Super via FreeIPA-users
wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > I am trying to migrate from my
an
> IPA server
> > > that has FIPS
> > > > > > disabled to an IPA server that has
FIPS
> > enabled. Both
> > > > the old and
> > > > > > the new IPA will have DNS, CA, and
etc.
> > > > > > >
> > > > > > > I ran: ipa migrate-ds
> --bind-dn="cn=Directory
> > > Manager"
> > > > > >
--user-container=cn=users,cn=accounts
> > > > > >
--group-container=cn=groups,cn=accounts
> > > > > > --group-objectclass=posixgroup
> > > > > >
--user-ignore-objectclass=mepOriginEntry
> > --with-compat
> > > > > > ldap://oldipa.server.com
> <http://oldipa.server.com>
> > <http://oldipa.server.com>
> > > <http://oldipa.server.com>
<http://oldipa.server.com>
> > > > <http://oldipa.server.com>
> > > > > <http://oldipa.server.com> However,
when I
> > > > > > login to a client machine connected
to
the
> > new IPA
> > > > server, my file
> > > > > > ownership becomes htony : nobody.
> > > > > > >
> > > > > > > What steps have I missed
within the
> migration
> > > process?
> > > > > > >
> > > > > > > I've tried exporting
cn=groups tree
from
> > the old IPA
> > > > server
> > > > > into a
> > > > > > LDIF and imported to the new IPA
> server, but it
> > > did not
> > > > solve the
> > > > > > problem.
> > > > > >
> > > > > > Did your user-private groups
migrate?
Is
> > there an
> > > htony
> > > > group?
> > > > > What is
> > > > > > the group value in getent passwd
htony?
> > > > > >
> > > > > > > For everything else, DNS,
sudoers,
> automount,
> > > and etc,
> > > > can I
> > > > > > simply export from the old server
and
> import
> > into the
> > > > new server?
> > > > > >
> > > > > > Probably. It's possible you
might have
to
> > massage some
> > > > of the
> > > > > entries
> > > > > > but I don't know of anything
specific.
> > > > > >
> > > > > > > I also have 100+ client
machines, is
> there an
> > > easy way
> > > > where
> > > > > I can
> > > > > > unjoin the machines from
> old-ipa-server and then
> > > join to the
> > > > > > new-ipa-server? (My infrastructure
is
> > Ansible-enabled)
> > > > > > Take a look at the ansible-freeipa
project
> > (and not
> > > > > freeipa-ansible).
> > > > > >
> > > > > > rob
> > > > > >
> > > > >
> > > >
> > >
> >
>
7:14 a.m.
HUANG, TONY wrote:
Hello Rob,
I just want to provide feedback that your command worked. I must have
done something wrong initially. I am able to migrate all of the user
private groups over to the new IPA - although it all became regular
POSIX groups, at least I don't have to change permissions for 500+
users. Thanks very much!
Now my next goal is to try to do "ipa migrate-ds ..." into an Ansible
task after a brand new IPA server install. Will be interesting to see
how I can run this in an idempotent way ...
Thanks Rob!
Sure thing, very glad you got it working. Thanks for following up.
cheers
rob
--Tony
On Thu, Apr 13, 2023 at 6:39 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> Just curious, does your old-ipa-server have User Private Group
disabled
> or enabled? Same question goes for your newly migrated IPA server.
Enabled on both.
> I may end up disabling the use of User Private Group on the new server
> and default everyone to "ipausers" Group.
I wouldn't get hung up on UPG. Internally it's a bit of a trick to have
a group without allowing other members. The user and group are linked by
the 389-ds managed entry plugin so that if owner (user) is removed, the
group goes with it.
Migration doesn't know how to deal with this, because it's IPA-specific
and it is more geared towards generic LDAP, so the mep* attributes and
objectclasses need to be dropped and it essentially converts the private
group into a general one.
But this isn't your problem, I don't think. What you've been saying is
that the groups don't transfer at all.
rob
> I'll see what I can do about getting the logs out.
>
> Thanks very much Rob!
>
>
> Tony
>
> On Wed, Apr 12, 2023, 10:11 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> HUANG, TONY wrote:
> > Hi Rob,
> >
> > I have been starting from scratch. I will check my logs
again. My
> > environment is disconnected from the Internet and I can't
easily copy
> > and paste to the thread. My IPA version is the same going
from the old
> > to the new (4.8 I believe). The reason I had to do IPA to IPA
> migration
> > is because my old one is not FIPS enabled where as my new
one is FIPS
> > enabled, therefore, I can't just replicate it by promoting it
> >
> > When your "ipa migrate-ds" worked for you, did you also get
nobody as
> > your group ownership to the files in your home directory?
Similar to
> > when I login to the client machine connected to the newly
migrated IPA
> > server, I get /usr/bin/id Cannot find name with GID 6314001, and
> ls - l
> > /home/htony shows htony : nobody on all of my files and
directories.
>
> No, everything is looking fine. The nss commands like getent
and id all
> show the properly resolved group names.
>
> > Red Hat support is telling me to delete the users and re-create
> them ..
> > which defeats the purpose of running ipa migrate-ds ... and
I have
> many
> > users and home directories on a NFS share.
>
> They may be confused by UPG. There currently no way to add a
UPG to an
> existing user, so re-creating the user is the only way.
>
> > I am fine if there is no way to do this migration easily,
but before
> > coming to that conclusion I am trying to find a way forward.
>
> It's hard to help without seeing what is going on beyond the
symptom.
> Like I said, the migration cli I provided works for me.
>
> rob
>
> >
> > Thanks again!
> >
> > --Tony
> >
> >
> > On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> >
> > HUANG, TONY wrote:
> > > Hi Rob,
> > >
> > > I've asked Red Hat support, and the support engineer is
> telling me
> > that
> > > it doesn't support migrating of User Private Group and
has
> pointed me
> > > over
to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The
> > support
> > > engineer is also asking me to create new UPG.
> >
> > It's true that migrating UPG is not possible. The group is
> converted
> > into a standard group. You can't create UPG manually by
> default. I was
> > curious one day and worked out a way to re-attach a
group, but
> that's a
> > different problem.
> >
> > I don't think you've ever said which version of IPA you
are
> migrating
> > from/to. Versions sometimes can make a big difference.
> >
> > You also aren't saying what you are doing in between
attempts.
> Are you
> > fully starting over in between executions or re-running
> migrate-ds? It
> > would be truly helpful to see the output of the command when
> groups fail
> > to migrate. If it fails it will say so. If it doesn't
include
> the groups
> > at all then it isn't finding them.
> >
> > migrate-ds doesn't do anything particularly complicated. It
> does LDAP
> > searches for the various objects. For group since you
specified
> > --group-objectclass=posixaccount it's going to search
for all
> of those.
> > This should be visible in your access log.
> >
> > This works for me:
> >
> > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > --user-container=cn=users,cn=accounts
> > --group-container=cn=groups,cn=accounts
> --group-objectclass=posixgroup
> >
>
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > --user-ignore-objectclass mepOriginEntry
> > --group-ignore-attribute=mepmanagedby
> > --group-ignore-objectclass=mepmanagedEntry --with-compat
> > ldap://ipa.example.test
> >
> > > Now my question is if ipa migrate-ds doesn't support
> migration of UPG,
> > > then how do I move forward after running ipa migrate-ds? I
> currently
> > > have GIDs that don't associate to usernames and group
file
> > ownership is
> > > nobody.
> >
> > Like I said, it doesn't migrate UPG and continue to be UPG,
> but it will
> > migrate the groups.
> >
> > > Looking to see if anyone in the community has done an
IPA to IPA
> > > migration ...
> >
> > Have you searched the list archives?
> >
> > rob
> >
> > >
> > > Thanks!
> > >
> > > On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
wrote:
> > >
> > > HUANG, TONY wrote:
> > > > I didn't get any errors regarding user private
groups at
> > all, and the
> > > > UPGs didn't even get migrated to become regular
POSIX UNIX
> > groups
> > > > either. They are just not there, so when I login
I see
> a message
> > > > complaining that /usr/bin/id cannot find my
group name.
> > >
> > > They may not be reported as errors, just part of
the output.
> > >
> > > You might also want to look at your private groups
in the
> > original IPA
> > > to ensure they have the posixgroup objectclass.
That is
> the search
> > > filter being used.
> > >
> > > rob
> > >
> > > >
> > > > I've tried importing the entire cn=groups, but
it didn't
> > solve the
> > > > missing UPG problem at all.
> > > >
> > > > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>>
wrote:
> > > >
> > > > HUANG, TONY wrote:
> > > > > Rob,
> > > > >
> > > > > I've tried the command from the website
below
> with the
> > same
> > > result.
> > > > > Furthermore, at the FreeIPA to FreeIPA
section
> it states
> > > "The command
> > > > > doesn't migrate user private
groups.",
which is
> > very strange,
> > > > because my
> > > > > migration becomes more complicated when i
have to
> > change group
> > > > ownership
> > > > > and potentially user files.
> > > >
> > > > What means is that after migration the
groups are
> no longer
> > > private.
> > > > They are regular groups.
> > > >
> > > > > Am i doing something wrong here?
> > > >
> > > > What does the output of migrate-ds say about the
> missing
> > groups?
> > > >
> > > > rob
> > > >
> > > > >
> > > > > Thanks again for your help!
> > > > >
> > > > >
> > > > > Tony
> > > > >
> > > > >
> > > > > On Mon, Apr 10, 2023, 9:06 AM Rob
Crittenden
> > > <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
> > > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>>> wrote:
> > > > >
> > > > > HUANG, TONY wrote:
> > > > > > Hi Rob,
> > > > > >
> > > > > > Thanks for the reply.
> > > > > >
> > > > > > User Private Group didn't get
migrated. When I
> > login I
> > > see Group
> > > > > number
> > > > > > being a number.
> > > > > >
> > > > > > How do I migrate UPG over?
> > > > >
> > > > > I don't see why they didn't
migrate in
the first
> > place.
> > > Using
> > > > your CLI
> > > > > *only* groups migrated for me, not
users,
> because
> > of the
> > > error:
> > > > >
> > > > > tuser: attribute
"mepManagedEntry"
not allowed
> > > > >
> > > > > I'd suggest the migration
command-line at
> > > > >
https://www.freeipa.org/page/Howto/Migration
> > > > >
> > > > > rob
> > > > >
> > > > > >
> > > > > > Thanks very much!
> > > > > >
> > > > > >
> > > > > > Tony
> > > > > >
> > > > > >
> > > > > > On Mon, Apr 10, 2023, 7:34 AM Rob
Crittenden
> > > > <rcritten(a)redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
> > > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>>
> > > > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>>>> wrote:
> > > > > >
> > > > > > Tony Super via FreeIPA-users
wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > I am trying to migrate
from my an
> IPA server
> > > that has FIPS
> > > > > > disabled to an IPA server that
has FIPS
> > enabled. Both
> > > > the old and
> > > > > > the new IPA will have DNS, CA,
and etc.
> > > > > > >
> > > > > > > I ran: ipa migrate-ds
> --bind-dn="cn=Directory
> > > Manager"
> > > > > >
--user-container=cn=users,cn=accounts
> > > > > >
--group-container=cn=groups,cn=accounts
> > > > > > --group-objectclass=posixgroup
> > > > > >
--user-ignore-objectclass=mepOriginEntry
> > --with-compat
> > > > > > ldap://oldipa.server.com
<http://oldipa.server.com>
> <http://oldipa.server.com>
> > <http://oldipa.server.com>
> > > <http://oldipa.server.com>
<http://oldipa.server.com>
> > > > <http://oldipa.server.com>
> > > > > <http://oldipa.server.com>
However, when I
> > > > > > login to a client machine
connected to the
> > new IPA
> > > > server, my file
> > > > > > ownership becomes htony :
nobody.
> > > > > > >
> > > > > > > What steps have I missed
within the
> migration
> > > process?
> > > > > > >
> > > > > > > I've tried exporting
cn=groups
tree from
> > the old IPA
> > > > server
> > > > > into a
> > > > > > LDIF and imported to the new
IPA
> server, but it
> > > did not
> > > > solve the
> > > > > > problem.
> > > > > >
> > > > > > Did your user-private groups
migrate? Is
> > there an
> > > htony
> > > > group?
> > > > > What is
> > > > > > the group value in getent
passwd
htony?
> > > > > >
> > > > > > > For everything else, DNS,
sudoers,
> automount,
> > > and etc,
> > > > can I
> > > > > > simply export from the old
server and
> import
> > into the
> > > > new server?
> > > > > >
> > > > > > Probably. It's possible
you
might have to
> > massage some
> > > > of the
> > > > > entries
> > > > > > but I don't know of
anything
specific.
> > > > > >
> > > > > > > I also have 100+ client
machines, is
> there an
> > > easy way
> > > > where
> > > > > I can
> > > > > > unjoin the machines from
> old-ipa-server and then
> > > join to the
> > > > > > new-ipa-server? (My
infrastructure is
> > Ansible-enabled)
> > > > > > Take a look at the
ansible-freeipa project
> > (and not
> > > > > freeipa-ansible).
> > > > > >
> > > > > > rob
> > > > > >
> > > > >
> > > >
> > >
> >
>
362
days inactive
381
days old
freeipa-users@lists.fedorahosted.org
15 comments
3 participants
participants (3)
-
HUANG, TONY -
Rob Crittenden -
Tony Super