Rob, I've tried the command from the website below with the same result. Furthermore, at the FreeIPA to FreeIPA section it states "The command doesn't migrate user private groups.", which is very strange, because my migration becomes more complicated when i have to change group ownership and potentially user files.
Am i doing something wrong here? Thanks again for your help! Tony On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden <[email protected]> wrote: > HUANG, TONY wrote: > > Hi Rob, > > > > Thanks for the reply. > > > > User Private Group didn't get migrated. When I login I see Group number > > being a number. > > > > How do I migrate UPG over? > > I don't see why they didn't migrate in the first place. Using your CLI > *only* groups migrated for me, not users, because of the error: > > tuser: attribute "mepManagedEntry" not allowed > > I'd suggest the migration command-line at > https://www.freeipa.org/page/Howto/Migration > > rob > > > > > Thanks very much! > > > > > > Tony > > > > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > Tony Super via FreeIPA-users wrote: > > > Hello, > > > > > > I am trying to migrate from my an IPA server that has FIPS > > disabled to an IPA server that has FIPS enabled. Both the old and > > the new IPA will have DNS, CA, and etc. > > > > > > I ran: ipa migrate-ds --bind-dn="cn=Directory Manager" > > --user-container=cn=users,cn=accounts > > --group-container=cn=groups,cn=accounts > > --group-objectclass=posixgroup > > --user-ignore-objectclass=mepOriginEntry --with-compat > > ldap://oldipa.server.com <http://oldipa.server.com> However, when I > > login to a client machine connected to the new IPA server, my file > > ownership becomes htony : nobody. > > > > > > What steps have I missed within the migration process? > > > > > > I've tried exporting cn=groups tree from the old IPA server into a > > LDIF and imported to the new IPA server, but it did not solve the > > problem. > > > > Did your user-private groups migrate? Is there an htony group? What > is > > the group value in getent passwd htony? > > > > > For everything else, DNS, sudoers, automount, and etc, can I > > simply export from the old server and import into the new server? > > > > Probably. It's possible you might have to massage some of the entries > > but I don't know of anything specific. > > > > > I also have 100+ client machines, is there an easy way where I can > > unjoin the machines from old-ipa-server and then join to the > > new-ipa-server? (My infrastructure is Ansible-enabled) > > Take a look at the ansible-freeipa project (and not freeipa-ansible). > > > > rob > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
