Hi Rob, I have been starting from scratch. I will check my logs again. My environment is disconnected from the Internet and I can't easily copy and paste to the thread. My IPA version is the same going from the old to the new (4.8 I believe). The reason I had to do IPA to IPA migration is because my old one is not FIPS enabled where as my new one is FIPS enabled, therefore, I can't just replicate it by promoting it
When your "ipa migrate-ds" worked for you, did you also get nobody as your group ownership to the files in your home directory? Similar to when I login to the client machine connected to the newly migrated IPA server, I get /usr/bin/id Cannot find name with GID 6314001, and ls - l /home/htony shows htony : nobody on all of my files and directories. Red Hat support is telling me to delete the users and re-create them .. which defeats the purpose of running ipa migrate-ds ... and I have many users and home directories on a NFS share. I am fine if there is no way to do this migration easily, but before coming to that conclusion I am trying to find a way forward. Thanks again! --Tony On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden <[email protected]> wrote: > HUANG, TONY wrote: > > Hi Rob, > > > > I've asked Red Hat support, and the support engineer is telling me that > > it doesn't support migrating of User Private Group and has pointed me > > over to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The support > > engineer is also asking me to create new UPG. > > It's true that migrating UPG is not possible. The group is converted > into a standard group. You can't create UPG manually by default. I was > curious one day and worked out a way to re-attach a group, but that's a > different problem. > > I don't think you've ever said which version of IPA you are migrating > from/to. Versions sometimes can make a big difference. > > You also aren't saying what you are doing in between attempts. Are you > fully starting over in between executions or re-running migrate-ds? It > would be truly helpful to see the output of the command when groups fail > to migrate. If it fails it will say so. If it doesn't include the groups > at all then it isn't finding them. > > migrate-ds doesn't do anything particularly complicated. It does LDAP > searches for the various objects. For group since you specified > --group-objectclass=posixaccount it's going to search for all of those. > This should be visible in your access log. > > This works for me: > > ipa migrate-ds --bind-dn="cn=Directory Manager" > --user-container=cn=users,cn=accounts > --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup > > --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} > --user-ignore-objectclass mepOriginEntry > --group-ignore-attribute=mepmanagedby > --group-ignore-objectclass=mepmanagedEntry --with-compat > ldap://ipa.example.test > > > Now my question is if ipa migrate-ds doesn't support migration of UPG, > > then how do I move forward after running ipa migrate-ds? I currently > > have GIDs that don't associate to usernames and group file ownership is > > nobody. > > Like I said, it doesn't migrate UPG and continue to be UPG, but it will > migrate the groups. > > > Looking to see if anyone in the community has done an IPA to IPA > > migration ... > > Have you searched the list archives? > > rob > > > > > Thanks! > > > > On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > HUANG, TONY wrote: > > > I didn't get any errors regarding user private groups at all, and > the > > > UPGs didn't even get migrated to become regular POSIX UNIX groups > > > either. They are just not there, so when I login I see a message > > > complaining that /usr/bin/id cannot find my group name. > > > > They may not be reported as errors, just part of the output. > > > > You might also want to look at your private groups in the original > IPA > > to ensure they have the posixgroup objectclass. That is the search > > filter being used. > > > > rob > > > > > > > > I've tried importing the entire cn=groups, but it didn't solve the > > > missing UPG problem at all. > > > > > > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden <[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > HUANG, TONY wrote: > > > > Rob, > > > > > > > > I've tried the command from the website below with the same > > result. > > > > Furthermore, at the FreeIPA to FreeIPA section it states > > "The command > > > > doesn't migrate user private groups.", which is very strange, > > > because my > > > > migration becomes more complicated when i have to change > group > > > ownership > > > > and potentially user files. > > > > > > What means is that after migration the groups are no longer > > private. > > > They are regular groups. > > > > > > > Am i doing something wrong here? > > > > > > What does the output of migrate-ds say about the missing > groups? > > > > > > rob > > > > > > > > > > > Thanks again for your help! > > > > > > > > > > > > Tony > > > > > > > > > > > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>> > > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > > > HUANG, TONY wrote: > > > > > Hi Rob, > > > > > > > > > > Thanks for the reply. > > > > > > > > > > User Private Group didn't get migrated. When I login I > > see Group > > > > number > > > > > being a number. > > > > > > > > > > How do I migrate UPG over? > > > > > > > > I don't see why they didn't migrate in the first place. > > Using > > > your CLI > > > > *only* groups migrated for me, not users, because of the > > error: > > > > > > > > tuser: attribute "mepManagedEntry" not allowed > > > > > > > > I'd suggest the migration command-line at > > > > https://www.freeipa.org/page/Howto/Migration > > > > > > > > rob > > > > > > > > > > > > > > Thanks very much! > > > > > > > > > > > > > > > Tony > > > > > > > > > > > > > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden > > > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > > > > <mailto:[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>>> wrote: > > > > > > > > > > Tony Super via FreeIPA-users wrote: > > > > > > Hello, > > > > > > > > > > > > I am trying to migrate from my an IPA server > > that has FIPS > > > > > disabled to an IPA server that has FIPS enabled. > Both > > > the old and > > > > > the new IPA will have DNS, CA, and etc. > > > > > > > > > > > > I ran: ipa migrate-ds --bind-dn="cn=Directory > > Manager" > > > > > --user-container=cn=users,cn=accounts > > > > > --group-container=cn=groups,cn=accounts > > > > > --group-objectclass=posixgroup > > > > > --user-ignore-objectclass=mepOriginEntry > --with-compat > > > > > ldap://oldipa.server.com > > <http://oldipa.server.com> <http://oldipa.server.com> > > > <http://oldipa.server.com> > > > > <http://oldipa.server.com> However, when I > > > > > login to a client machine connected to the new IPA > > > server, my file > > > > > ownership becomes htony : nobody. > > > > > > > > > > > > What steps have I missed within the migration > > process? > > > > > > > > > > > > I've tried exporting cn=groups tree from the old > IPA > > > server > > > > into a > > > > > LDIF and imported to the new IPA server, but it > > did not > > > solve the > > > > > problem. > > > > > > > > > > Did your user-private groups migrate? Is there an > > htony > > > group? > > > > What is > > > > > the group value in getent passwd htony? > > > > > > > > > > > For everything else, DNS, sudoers, automount, > > and etc, > > > can I > > > > > simply export from the old server and import into > the > > > new server? > > > > > > > > > > Probably. It's possible you might have to massage > some > > > of the > > > > entries > > > > > but I don't know of anything specific. > > > > > > > > > > > I also have 100+ client machines, is there an > > easy way > > > where > > > > I can > > > > > unjoin the machines from old-ipa-server and then > > join to the > > > > > new-ipa-server? (My infrastructure is > Ansible-enabled) > > > > > Take a look at the ansible-freeipa project (and not > > > > freeipa-ansible). > > > > > > > > > > rob > > > > > > > > > > > > > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
