Thanks for the quick reply! I need to migrate a old ipa instance/domain (lets name it ipa_old.example.com) to an new IPA instance/domain (lets name it ipa_new.example.com)
Let's assume, that ipa_old.example.com has these ranges: > # ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: DOMAIN_id_range > First Posix ID of the range: 576000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > Range name: DOMAIN_subid_range > First Posix ID of the range: 2147483648 > Number of IDs in the range: 2147352576 > First RID of the corresponding RID range: 2147283648 > Domain SID of the trusted domain: S-1-5-21-738065-838566-3977953474 > Range type: Active Directory domain range And that ipa_new.example.com these ranges: > # ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: DOMAIN_id_range > First Posix ID of the range: 768200000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > Range name: DOMAIN_subid_range > First Posix ID of the range: 2147483648 > Number of IDs in the range: 2147352576 > First RID of the corresponding RID range: 2147283648 > Domain SID of the trusted domain: S-1-5-21-738065-838566-418768009 > Range type: Active Directory domain range I want to use ipa migrate-ds for the migration, however it will copy over ipaNtSecurityIdentifier entries with the ipa_old.example.com's Domain SID. I should then add the range from ipa_old.example.com to the ipa_new.example.com, however I would not be able to do it as is, because RIDs would conflict. Is it ok, to set ranges as follows for ipa_new.example.com, if there are yet no users created (other then 'admin') in ipa_new.example.com and if I change ipaNtSecurityIdentifier and U/GID of admin to match the new range? > # ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: DOMAIN_id_range > First Posix ID of the range: 768200000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 201000 > First RID of the secondary RID range: 100001000 > Range type: local domain range > Range name: DOMAIN_id_range_legacy > First Posix ID of the range: 576000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > Range name: DOMAIN_subid_range > First Posix ID of the range: 2147483648 > Number of IDs in the range: 2147352576 > First RID of the corresponding RID range: 2147283648 > Domain SID of the trusted domain: S-1-5-21-738065-838566-418768009 > Range type: Active Directory domain range If I did it this way instead: > # ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: DOMAIN_id_range > First Posix ID of the range: 768200000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > Range name: DOMAIN_id_range_legacy > First Posix ID of the range: 576000000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 201000 > First RID of the secondary RID range: 100001000 > Range type: local domain range > Range name: DOMAIN_subid_range > First Posix ID of the range: 2147483648 > Number of IDs in the range: 2147352576 > First RID of the corresponding RID range: 2147283648 > Domain SID of the trusted domain: S-1-5-21-738065-838566-418768009 > Range type: Active Directory domain range Then ipaNtSecurityIdentifiers would be indeed inconsistent. What would it cause? Would IPA generate already existing ipaNtSecurityIdentifiers for new users and cause conflicts? Would it be better, if I used these ranges (the ones that were created on installation) instead: > # ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: DOMAIN_id_range > First Posix ID of the range: 768200000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > Range name: DOMAIN_subid_range > First Posix ID of the range: 2147483648 > Number of IDs in the range: 2147352576 > First RID of the corresponding RID range: 2147283648 > Domain SID of the trusted domain: S-1-5-21-738065-838566-418768009 > Range type: Active Directory domain range and programmatically created all the users from ipa_old.example.com in ipa_new.example.com with different IDs (IPA would allocate some from DOMAIN_id_range), and then used ID Views in ipa_new.example.com, to map them to their posix user IDs from ipa_old.example.com (so file permissions on hosts previously enrolled in ipa_old.example.com would remain functional/semantically the same)? Thanks! -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
