Hi, On Fri, Aug 16, 2024 at 2:38 PM Jan Wagner via FreeIPA-users < [email protected]> wrote:
> Thanks for the quick reply! > I need to migrate a old ipa instance/domain (lets name it > ipa_old.example.com) to an new IPA instance/domain (lets name it > ipa_new.example.com) > > Let's assume, that ipa_old.example.com has these ranges: > > > # ipa idrange-find > > ---------------- > > 3 ranges matched > > ---------------- > > Range name: DOMAIN_id_range > > First Posix ID of the range: 576000000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 1000 > > First RID of the secondary RID range: 100000000 > > Range type: local domain range > > > Range name: DOMAIN_subid_range > > First Posix ID of the range: 2147483648 > > Number of IDs in the range: 2147352576 > > First RID of the corresponding RID range: 2147283648 > > Domain SID of the trusted domain: S-1-5-21-738065-838566-3977953474 > > Range type: Active Directory domain range > > And that ipa_new.example.com these ranges: > > > # ipa idrange-find > > ---------------- > > 3 ranges matched > > ---------------- > > Range name: DOMAIN_id_range > > First Posix ID of the range: 768200000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 1000 > > First RID of the secondary RID range: 100000000 > > Range type: local domain range > > > Range name: DOMAIN_subid_range > > First Posix ID of the range: 2147483648 > > Number of IDs in the range: 2147352576 > > First RID of the corresponding RID range: 2147283648 > > Domain SID of the trusted domain: S-1-5-21-738065-838566-418768009 > > Range type: Active Directory domain range > > I want to use ipa migrate-ds for the migration, however it will copy over > ipaNtSecurityIdentifier entries with the ipa_old.example.com's Domain SID. > I should then add the range from ipa_old.example.com to the > ipa_new.example.com, however I would not be able to do it as is, because > RIDs would conflict. > > If you are using migrate-ds, you will have to remove the ipantsecuritydentifier from the migrated entries because they contain a domain SID from the old installation, and it will not be the same as the new installation domain SID. You can read https://lists.fedorahosted.org/archives/list/[email protected]/thread/4S4QQDC4FBVTA4GYWWVBPKGYN3MF4UJ6/#7SKWKKFFDMMFWOXPR53ZFGB634RKJHVU for more explanations. Is it ok, to set ranges as follows for ipa_new.example.com, if there are > yet no users created (other then 'admin') in ipa_new.example.com and if I > change ipaNtSecurityIdentifier and U/GID of admin to match the new range? > Note that if you are starting the new server installation from scratch you can provide some arguments directly to ipa-server-install instead of modifying the values later on: ipa-server-install [...] --rid-base=RID_BASE --secondary-rid-base=SECONDARY_RID_BASE --idstart=IDSTART > > > # ipa idrange-find > > ---------------- > > 3 ranges matched > > ---------------- > > Range name: DOMAIN_id_range > > First Posix ID of the range: 768200000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 201000 > > First RID of the secondary RID range: 100001000 > > Range type: local domain range > > This range will use - POSIX ids [768'200'000;768'400'000[ - primary RIDS [201'000;401'000[ - secondary RIDS [*100'001'000;100'201'000*[ > Range name: DOMAIN_id_range_legacy > > First Posix ID of the range: 576000000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 1000 > > First RID of the secondary RID range: 100000000 > > Range type: local domain range > This range will use - POSIX ids [576'000'000;576'200'000[ - primary RIDS [1'000;201'000[ - secondary RIDs [*100'000'000;100'200'000*[ The secondary RIDs are overlapping. For DOMAIN_id_range you could use instead 100'200'000. flo > > Range name: DOMAIN_subid_range > > First Posix ID of the range: 2147483648 > > Number of IDs in the range: 2147352576 > > First RID of the corresponding RID range: 2147283648 > > Domain SID of the trusted domain: S-1-5-21-738065-838566-418768009 > > Range type: Active Directory domain range > > If I did it this way instead: > > > # ipa idrange-find > > ---------------- > > 3 ranges matched > > ---------------- > > Range name: DOMAIN_id_range > > First Posix ID of the range: 768200000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 1000 > > First RID of the secondary RID range: 100000000 > > Range type: local domain range > > > Range name: DOMAIN_id_range_legacy > > First Posix ID of the range: 576000000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 201000 > > First RID of the secondary RID range: 100001000 > > Range type: local domain range > > > Range name: DOMAIN_subid_range > > First Posix ID of the range: 2147483648 > > Number of IDs in the range: 2147352576 > > First RID of the corresponding RID range: 2147283648 > > Domain SID of the trusted domain: S-1-5-21-738065-838566-418768009 > > Range type: Active Directory domain range > > Then ipaNtSecurityIdentifiers would be indeed inconsistent. What would it > cause? Would IPA generate already existing ipaNtSecurityIdentifiers for new > users and cause conflicts? > > Would it be better, if I used these ranges (the ones that were created on > installation) instead: > > > # ipa idrange-find > > ---------------- > > 3 ranges matched > > ---------------- > > Range name: DOMAIN_id_range > > First Posix ID of the range: 768200000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 1000 > > First RID of the secondary RID range: 100000000 > > Range type: local domain range > > > Range name: DOMAIN_subid_range > > First Posix ID of the range: 2147483648 > > Number of IDs in the range: 2147352576 > > First RID of the corresponding RID range: 2147283648 > > Domain SID of the trusted domain: S-1-5-21-738065-838566-418768009 > > Range type: Active Directory domain range > > and programmatically created all the users from ipa_old.example.com in > ipa_new.example.com with different IDs (IPA would allocate some from > DOMAIN_id_range), and then used ID Views in ipa_new.example.com, to map > them to their posix user IDs from ipa_old.example.com (so file > permissions on hosts previously enrolled in ipa_old.example.com would > remain functional/semantically the same)? > > Thanks! > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
