HUANG, TONY wrote: > Hi Rob, > > Thanks for the reply. > > User Private Group didn't get migrated. When I login I see Group number > being a number. > > How do I migrate UPG over?
I don't see why they didn't migrate in the first place. Using your CLI *only* groups migrated for me, not users, because of the error: tuser: attribute "mepManagedEntry" not allowed I'd suggest the migration command-line at https://www.freeipa.org/page/Howto/Migration rob > > Thanks very much! > > > Tony > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Tony Super via FreeIPA-users wrote: > > Hello, > > > > I am trying to migrate from my an IPA server that has FIPS > disabled to an IPA server that has FIPS enabled. Both the old and > the new IPA will have DNS, CA, and etc. > > > > I ran: ipa migrate-ds --bind-dn="cn=Directory Manager" > --user-container=cn=users,cn=accounts > --group-container=cn=groups,cn=accounts > --group-objectclass=posixgroup > --user-ignore-objectclass=mepOriginEntry --with-compat > ldap://oldipa.server.com <http://oldipa.server.com> However, when I > login to a client machine connected to the new IPA server, my file > ownership becomes htony : nobody. > > > > What steps have I missed within the migration process? > > > > I've tried exporting cn=groups tree from the old IPA server into a > LDIF and imported to the new IPA server, but it did not solve the > problem. > > Did your user-private groups migrate? Is there an htony group? What is > the group value in getent passwd htony? > > > For everything else, DNS, sudoers, automount, and etc, can I > simply export from the old server and import into the new server? > > Probably. It's possible you might have to massage some of the entries > but I don't know of anything specific. > > > I also have 100+ client machines, is there an easy way where I can > unjoin the machines from old-ipa-server and then join to the > new-ipa-server? (My infrastructure is Ansible-enabled) > Take a look at the ansible-freeipa project (and not freeipa-ansible). > > rob > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
