I didn't get any errors regarding user private groups at all, and the UPGs didn't even get migrated to become regular POSIX UNIX groups either. They are just not there, so when I login I see a message complaining that /usr/bin/id cannot find my group name.
I've tried importing the entire cn=groups, but it didn't solve the missing UPG problem at all. On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden <[email protected]> wrote: > HUANG, TONY wrote: > > Rob, > > > > I've tried the command from the website below with the same result. > > Furthermore, at the FreeIPA to FreeIPA section it states "The command > > doesn't migrate user private groups.", which is very strange, because my > > migration becomes more complicated when i have to change group ownership > > and potentially user files. > > What means is that after migration the groups are no longer private. > They are regular groups. > > > Am i doing something wrong here? > > What does the output of migrate-ds say about the missing groups? > > rob > > > > > Thanks again for your help! > > > > > > Tony > > > > > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > HUANG, TONY wrote: > > > Hi Rob, > > > > > > Thanks for the reply. > > > > > > User Private Group didn't get migrated. When I login I see Group > > number > > > being a number. > > > > > > How do I migrate UPG over? > > > > I don't see why they didn't migrate in the first place. Using your > CLI > > *only* groups migrated for me, not users, because of the error: > > > > tuser: attribute "mepManagedEntry" not allowed > > > > I'd suggest the migration command-line at > > https://www.freeipa.org/page/Howto/Migration > > > > rob > > > > > > > > Thanks very much! > > > > > > > > > Tony > > > > > > > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden <[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > Tony Super via FreeIPA-users wrote: > > > > Hello, > > > > > > > > I am trying to migrate from my an IPA server that has FIPS > > > disabled to an IPA server that has FIPS enabled. Both the old > and > > > the new IPA will have DNS, CA, and etc. > > > > > > > > I ran: ipa migrate-ds --bind-dn="cn=Directory Manager" > > > --user-container=cn=users,cn=accounts > > > --group-container=cn=groups,cn=accounts > > > --group-objectclass=posixgroup > > > --user-ignore-objectclass=mepOriginEntry --with-compat > > > ldap://oldipa.server.com <http://oldipa.server.com> > > <http://oldipa.server.com> However, when I > > > login to a client machine connected to the new IPA server, my > file > > > ownership becomes htony : nobody. > > > > > > > > What steps have I missed within the migration process? > > > > > > > > I've tried exporting cn=groups tree from the old IPA server > > into a > > > LDIF and imported to the new IPA server, but it did not solve > the > > > problem. > > > > > > Did your user-private groups migrate? Is there an htony group? > > What is > > > the group value in getent passwd htony? > > > > > > > For everything else, DNS, sudoers, automount, and etc, can I > > > simply export from the old server and import into the new > server? > > > > > > Probably. It's possible you might have to massage some of the > > entries > > > but I don't know of anything specific. > > > > > > > I also have 100+ client machines, is there an easy way where > > I can > > > unjoin the machines from old-ipa-server and then join to the > > > new-ipa-server? (My infrastructure is Ansible-enabled) > > > Take a look at the ansible-freeipa project (and not > > freeipa-ansible). > > > > > > rob > > > > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
