Hello Rob,
I just want to provide feedback that your command worked. I must have
done something wrong initially. I am able to migrate all of the user
private groups over to the new IPA - although it all became regular
POSIX groups, at least I don't have to change permissions for 500+
users. Thanks very much!
Now my next goal is to try to do "ipa migrate-ds ..." into an Ansible
task after a brand new IPA server install. Will be interesting to see
how I can run this in an idempotent way ...
Thanks Rob!
Sure thing, very glad you got it working. Thanks for following up.
cheers
rob
--Tony
On Thu, Apr 13, 2023 at 6:39 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
HUANG, TONY wrote:
> Hi Rob,
>
> Just curious, does your old-ipa-server have User Private Group
disabled
> or enabled? Same question goes for your newly migrated IPA server.
Enabled on both.
> I may end up disabling the use of User Private Group on the new server
> and default everyone to "ipausers" Group.
I wouldn't get hung up on UPG. Internally it's a bit of a trick to have
a group without allowing other members. The user and group are linked by
the 389-ds managed entry plugin so that if owner (user) is removed, the
group goes with it.
Migration doesn't know how to deal with this, because it's IPA-specific
and it is more geared towards generic LDAP, so the mep* attributes and
objectclasses need to be dropped and it essentially converts the private
group into a general one.
But this isn't your problem, I don't think. What you've been saying is
that the groups don't transfer at all.
rob
> I'll see what I can do about getting the logs out.
>
> Thanks very much Rob!
>
>
> Tony
>
> On Wed, Apr 12, 2023, 10:11 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> HUANG, TONY wrote:
> > Hi Rob,
> >
> > I have been starting from scratch. I will check my logs
again. My
> > environment is disconnected from the Internet and I can't
easily copy
> > and paste to the thread. My IPA version is the same going
from the old
> > to the new (4.8 I believe). The reason I had to do IPA to IPA
> migration
> > is because my old one is not FIPS enabled where as my new
one is FIPS
> > enabled, therefore, I can't just replicate it by promoting it
> >
> > When your "ipa migrate-ds" worked for you, did you also get
nobody as
> > your group ownership to the files in your home directory?
Similar to
> > when I login to the client machine connected to the newly
migrated IPA
> > server, I get /usr/bin/id Cannot find name with GID 6314001, and
> ls - l
> > /home/htony shows htony : nobody on all of my files and
directories.
>
> No, everything is looking fine. The nss commands like getent
and id all
> show the properly resolved group names.
>
> > Red Hat support is telling me to delete the users and re-create
> them ..
> > which defeats the purpose of running ipa migrate-ds ... and
I have
> many
> > users and home directories on a NFS share.
>
> They may be confused by UPG. There currently no way to add a
UPG to an
> existing user, so re-creating the user is the only way.
>
> > I am fine if there is no way to do this migration easily,
but before
> > coming to that conclusion I am trying to find a way forward.
>
> It's hard to help without seeing what is going on beyond the
symptom.
> Like I said, the migration cli I provided works for me.
>
> rob
>
> >
> > Thanks again!
> >
> > --Tony
> >
> >
> > On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden
> <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote:
> >
> > HUANG, TONY wrote:
> > > Hi Rob,
> > >
> > > I've asked Red Hat support, and the support engineer is
> telling me
> > that
> > > it doesn't support migrating of User Private Group and
has
> pointed me
> > > over
to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The
> > support
> > > engineer is also asking me to create new UPG.
> >
> > It's true that migrating UPG is not possible. The group is
> converted
> > into a standard group. You can't create UPG manually by
> default. I was
> > curious one day and worked out a way to re-attach a
group, but
> that's a
> > different problem.
> >
> > I don't think you've ever said which version of IPA you
are
> migrating
> > from/to. Versions sometimes can make a big difference.
> >
> > You also aren't saying what you are doing in between
attempts.
> Are you
> > fully starting over in between executions or re-running
> migrate-ds? It
> > would be truly helpful to see the output of the command when
> groups fail
> > to migrate. If it fails it will say so. If it doesn't
include
> the groups
> > at all then it isn't finding them.
> >
> > migrate-ds doesn't do anything particularly complicated. It
> does LDAP
> > searches for the various objects. For group since you
specified
> > --group-objectclass=posixaccount it's going to search
for all
> of those.
> > This should be visible in your access log.
> >
> > This works for me:
> >
> > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > --user-container=cn=users,cn=accounts
> > --group-container=cn=groups,cn=accounts
> --group-objectclass=posixgroup
> >
>
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > --user-ignore-objectclass mepOriginEntry
> > --group-ignore-attribute=mepmanagedby
> > --group-ignore-objectclass=mepmanagedEntry --with-compat
> > ldap://ipa.example.test
> >
> > > Now my question is if ipa migrate-ds doesn't support
> migration of UPG,
> > > then how do I move forward after running ipa migrate-ds? I
> currently
> > > have GIDs that don't associate to usernames and group
file
> > ownership is
> > > nobody.
> >
> > Like I said, it doesn't migrate UPG and continue to be UPG,
> but it will
> > migrate the groups.
> >
> > > Looking to see if anyone in the community has done an
IPA to IPA
> > > migration ...
> >
> > Have you searched the list archives?
> >
> > rob
> >
> > >
> > > Thanks!
> > >
> > > On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
wrote:
> > >
> > > HUANG, TONY wrote:
> > > > I didn't get any errors regarding user private
groups at
> > all, and the
> > > > UPGs didn't even get migrated to become regular
POSIX UNIX
> > groups
> > > > either. They are just not there, so when I login
I see
> a message
> > > > complaining that /usr/bin/id cannot find my
group name.
> > >
> > > They may not be reported as errors, just part of
the output.
> > >
> > > You might also want to look at your private groups
in the
> > original IPA
> > > to ensure they have the posixgroup objectclass.
That is
> the search
> > > filter being used.
> > >
> > > rob
> > >
> > > >
> > > > I've tried importing the entire cn=groups, but
it didn't
> > solve the
> > > > missing UPG problem at all.
> > > >
> > > > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden
> > <rcritten(a)redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>>
wrote:
> > > >
> > > > HUANG, TONY wrote:
> > > > > Rob,
> > > > >
> > > > > I've tried the command from the website
below
> with the
> > same
> > > result.
> > > > > Furthermore, at the FreeIPA to FreeIPA
section
> it states
> > > "The command
> > > > > doesn't migrate user private
groups.",
which is
> > very strange,
> > > > because my
> > > > > migration becomes more complicated when i
have to
> > change group
> > > > ownership
> > > > > and potentially user files.
> > > >
> > > > What means is that after migration the
groups are
> no longer
> > > private.
> > > > They are regular groups.
> > > >
> > > > > Am i doing something wrong here?
> > > >
> > > > What does the output of migrate-ds say about the
> missing
> > groups?
> > > >
> > > > rob
> > > >
> > > > >
> > > > > Thanks again for your help!
> > > > >
> > > > >
> > > > > Tony
> > > > >
> > > > >
> > > > > On Mon, Apr 10, 2023, 9:06 AM Rob
Crittenden
> > > <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
> > > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>>> wrote:
> > > > >
> > > > > HUANG, TONY wrote:
> > > > > > Hi Rob,
> > > > > >
> > > > > > Thanks for the reply.
> > > > > >
> > > > > > User Private Group didn't get
migrated. When I
> > login I
> > > see Group
> > > > > number
> > > > > > being a number.
> > > > > >
> > > > > > How do I migrate UPG over?
> > > > >
> > > > > I don't see why they didn't
migrate in
the first
> > place.
> > > Using
> > > > your CLI
> > > > > *only* groups migrated for me, not
users,
> because
> > of the
> > > error:
> > > > >
> > > > > tuser: attribute
"mepManagedEntry"
not allowed
> > > > >
> > > > > I'd suggest the migration
command-line at
> > > > >
https://www.freeipa.org/page/Howto/Migration
> > > > >
> > > > > rob
> > > > >
> > > > > >
> > > > > > Thanks very much!
> > > > > >
> > > > > >
> > > > > > Tony
> > > > > >
> > > > > >
> > > > > > On Mon, Apr 10, 2023, 7:34 AM Rob
Crittenden
> > > > <rcritten(a)redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
> > > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>>
> > > > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>>
> > > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>>
> > > <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>
<mailto:rcritten@redhat.com
<mailto:rcritten@redhat.com>>>>>>>> wrote:
> > > > > >
> > > > > > Tony Super via FreeIPA-users
wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > I am trying to migrate
from my an
> IPA server
> > > that has FIPS
> > > > > > disabled to an IPA server that
has FIPS
> > enabled. Both
> > > > the old and
> > > > > > the new IPA will have DNS, CA,
and etc.
> > > > > > >
> > > > > > > I ran: ipa migrate-ds
> --bind-dn="cn=Directory
> > > Manager"
> > > > > >
--user-container=cn=users,cn=accounts
> > > > > >
--group-container=cn=groups,cn=accounts
> > > > > > --group-objectclass=posixgroup
> > > > > >
--user-ignore-objectclass=mepOriginEntry
> > --with-compat
> > > > > > ldap://oldipa.server.com
<
http://oldipa.server.com>
> <http://oldipa.server.com>
> > <http://oldipa.server.com>
> > > <http://oldipa.server.com>
<
http://oldipa.server.com>
> > > > <http://oldipa.server.com>
> > > > > <http://oldipa.server.com>
However, when I
> > > > > > login to a client machine
connected to the
> > new IPA
> > > > server, my file
> > > > > > ownership becomes htony :
nobody.
> > > > > > >
> > > > > > > What steps have I missed
within the
> migration
> > > process?
> > > > > > >
> > > > > > > I've tried exporting
cn=groups
tree from
> > the old IPA
> > > > server
> > > > > into a
> > > > > > LDIF and imported to the new
IPA
> server, but it
> > > did not
> > > > solve the
> > > > > > problem.
> > > > > >
> > > > > > Did your user-private groups
migrate? Is
> > there an
> > > htony
> > > > group?
> > > > > What is
> > > > > > the group value in getent
passwd
htony?
> > > > > >
> > > > > > > For everything else, DNS,
sudoers,
> automount,
> > > and etc,
> > > > can I
> > > > > > simply export from the old
server and
> import
> > into the
> > > > new server?
> > > > > >
> > > > > > Probably. It's possible
you
might have to
> > massage some
> > > > of the
> > > > > entries
> > > > > > but I don't know of
anything
specific.
> > > > > >
> > > > > > > I also have 100+ client
machines, is
> there an
> > > easy way
> > > > where
> > > > > I can
> > > > > > unjoin the machines from
> old-ipa-server and then
> > > join to the
> > > > > > new-ipa-server? (My
infrastructure is
> > Ansible-enabled)
> > > > > > Take a look at the
ansible-freeipa project
> > (and not
> > > > > freeipa-ansible).
> > > > > >
> > > > > > rob
> > > > > >
> > > > >
> > > >
> > >
> >
>