Hi Rob, Just curious, does your old-ipa-server have User Private Group disabled or enabled? Same question goes for your newly migrated IPA server.
I may end up disabling the use of User Private Group on the new server and default everyone to "ipausers" Group. I'll see what I can do about getting the logs out. Thanks very much Rob! Tony On Wed, Apr 12, 2023, 10:11 AM Rob Crittenden <[email protected]> wrote: > HUANG, TONY wrote: > > Hi Rob, > > > > I have been starting from scratch. I will check my logs again. My > > environment is disconnected from the Internet and I can't easily copy > > and paste to the thread. My IPA version is the same going from the old > > to the new (4.8 I believe). The reason I had to do IPA to IPA migration > > is because my old one is not FIPS enabled where as my new one is FIPS > > enabled, therefore, I can't just replicate it by promoting it > > > > When your "ipa migrate-ds" worked for you, did you also get nobody as > > your group ownership to the files in your home directory? Similar to > > when I login to the client machine connected to the newly migrated IPA > > server, I get /usr/bin/id Cannot find name with GID 6314001, and ls - l > > /home/htony shows htony : nobody on all of my files and directories. > > No, everything is looking fine. The nss commands like getent and id all > show the properly resolved group names. > > > Red Hat support is telling me to delete the users and re-create them .. > > which defeats the purpose of running ipa migrate-ds ... and I have many > > users and home directories on a NFS share. > > They may be confused by UPG. There currently no way to add a UPG to an > existing user, so re-creating the user is the only way. > > > I am fine if there is no way to do this migration easily, but before > > coming to that conclusion I am trying to find a way forward. > > It's hard to help without seeing what is going on beyond the symptom. > Like I said, the migration cli I provided works for me. > > rob > > > > > Thanks again! > > > > --Tony > > > > > > On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > HUANG, TONY wrote: > > > Hi Rob, > > > > > > I've asked Red Hat support, and the support engineer is telling me > > that > > > it doesn't support migrating of User Private Group and has pointed > me > > > over to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The > > support > > > engineer is also asking me to create new UPG. > > > > It's true that migrating UPG is not possible. The group is converted > > into a standard group. You can't create UPG manually by default. I > was > > curious one day and worked out a way to re-attach a group, but > that's a > > different problem. > > > > I don't think you've ever said which version of IPA you are migrating > > from/to. Versions sometimes can make a big difference. > > > > You also aren't saying what you are doing in between attempts. Are > you > > fully starting over in between executions or re-running migrate-ds? > It > > would be truly helpful to see the output of the command when groups > fail > > to migrate. If it fails it will say so. If it doesn't include the > groups > > at all then it isn't finding them. > > > > migrate-ds doesn't do anything particularly complicated. It does LDAP > > searches for the various objects. For group since you specified > > --group-objectclass=posixaccount it's going to search for all of > those. > > This should be visible in your access log. > > > > This works for me: > > > > ipa migrate-ds --bind-dn="cn=Directory Manager" > > --user-container=cn=users,cn=accounts > > --group-container=cn=groups,cn=accounts > --group-objectclass=posixgroup > > > > --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} > > --user-ignore-objectclass mepOriginEntry > > --group-ignore-attribute=mepmanagedby > > --group-ignore-objectclass=mepmanagedEntry --with-compat > > ldap://ipa.example.test > > > > > Now my question is if ipa migrate-ds doesn't support migration of > UPG, > > > then how do I move forward after running ipa migrate-ds? I > currently > > > have GIDs that don't associate to usernames and group file > > ownership is > > > nobody. > > > > Like I said, it doesn't migrate UPG and continue to be UPG, but it > will > > migrate the groups. > > > > > Looking to see if anyone in the community has done an IPA to IPA > > > migration ... > > > > Have you searched the list archives? > > > > rob > > > > > > > > Thanks! > > > > > > On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > HUANG, TONY wrote: > > > > I didn't get any errors regarding user private groups at > > all, and the > > > > UPGs didn't even get migrated to become regular POSIX UNIX > > groups > > > > either. They are just not there, so when I login I see a > message > > > > complaining that /usr/bin/id cannot find my group name. > > > > > > They may not be reported as errors, just part of the output. > > > > > > You might also want to look at your private groups in the > > original IPA > > > to ensure they have the posixgroup objectclass. That is the > search > > > filter being used. > > > > > > rob > > > > > > > > > > > I've tried importing the entire cn=groups, but it didn't > > solve the > > > > missing UPG problem at all. > > > > > > > > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>> > > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > > > HUANG, TONY wrote: > > > > > Rob, > > > > > > > > > > I've tried the command from the website below with the > > same > > > result. > > > > > Furthermore, at the FreeIPA to FreeIPA section it > states > > > "The command > > > > > doesn't migrate user private groups.", which is > > very strange, > > > > because my > > > > > migration becomes more complicated when i have to > > change group > > > > ownership > > > > > and potentially user files. > > > > > > > > What means is that after migration the groups are no > longer > > > private. > > > > They are regular groups. > > > > > > > > > Am i doing something wrong here? > > > > > > > > What does the output of migrate-ds say about the missing > > groups? > > > > > > > > rob > > > > > > > > > > > > > > Thanks again for your help! > > > > > > > > > > > > > > > Tony > > > > > > > > > > > > > > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden > > > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > > > > <mailto:[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>>> wrote: > > > > > > > > > > HUANG, TONY wrote: > > > > > > Hi Rob, > > > > > > > > > > > > Thanks for the reply. > > > > > > > > > > > > User Private Group didn't get migrated. When I > > login I > > > see Group > > > > > number > > > > > > being a number. > > > > > > > > > > > > How do I migrate UPG over? > > > > > > > > > > I don't see why they didn't migrate in the first > > place. > > > Using > > > > your CLI > > > > > *only* groups migrated for me, not users, because > > of the > > > error: > > > > > > > > > > tuser: attribute "mepManagedEntry" not allowed > > > > > > > > > > I'd suggest the migration command-line at > > > > > https://www.freeipa.org/page/Howto/Migration > > > > > > > > > > rob > > > > > > > > > > > > > > > > > Thanks very much! > > > > > > > > > > > > > > > > > > Tony > > > > > > > > > > > > > > > > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden > > > > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> > > > > > <mailto:[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>> > > > > > > <mailto:[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>> > > <mailto:[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> > > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>>>> wrote: > > > > > > > > > > > > Tony Super via FreeIPA-users wrote: > > > > > > > Hello, > > > > > > > > > > > > > > I am trying to migrate from my an IPA > server > > > that has FIPS > > > > > > disabled to an IPA server that has FIPS > > enabled. Both > > > > the old and > > > > > > the new IPA will have DNS, CA, and etc. > > > > > > > > > > > > > > I ran: ipa migrate-ds > --bind-dn="cn=Directory > > > Manager" > > > > > > --user-container=cn=users,cn=accounts > > > > > > --group-container=cn=groups,cn=accounts > > > > > > --group-objectclass=posixgroup > > > > > > --user-ignore-objectclass=mepOriginEntry > > --with-compat > > > > > > ldap://oldipa.server.com > > <http://oldipa.server.com> > > > <http://oldipa.server.com> <http://oldipa.server.com> > > > > <http://oldipa.server.com> > > > > > <http://oldipa.server.com> However, when I > > > > > > login to a client machine connected to the > > new IPA > > > > server, my file > > > > > > ownership becomes htony : nobody. > > > > > > > > > > > > > > What steps have I missed within the > migration > > > process? > > > > > > > > > > > > > > I've tried exporting cn=groups tree from > > the old IPA > > > > server > > > > > into a > > > > > > LDIF and imported to the new IPA server, but > it > > > did not > > > > solve the > > > > > > problem. > > > > > > > > > > > > Did your user-private groups migrate? Is > > there an > > > htony > > > > group? > > > > > What is > > > > > > the group value in getent passwd htony? > > > > > > > > > > > > > For everything else, DNS, sudoers, > automount, > > > and etc, > > > > can I > > > > > > simply export from the old server and import > > into the > > > > new server? > > > > > > > > > > > > Probably. It's possible you might have to > > massage some > > > > of the > > > > > entries > > > > > > but I don't know of anything specific. > > > > > > > > > > > > > I also have 100+ client machines, is there > an > > > easy way > > > > where > > > > > I can > > > > > > unjoin the machines from old-ipa-server and > then > > > join to the > > > > > > new-ipa-server? (My infrastructure is > > Ansible-enabled) > > > > > > Take a look at the ansible-freeipa project > > (and not > > > > > freeipa-ansible). > > > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
