Lucas Yamanishi wrote:
I just migrated my IPA instance from one to another a couple days ago to
recover after a lost CA and failed yum upgrade.  The "ipa migrate-ds"
tool works very well, though I am having a few very minor issues.  On
the upside, as far as I can tell, you can skip the steps about Kerberos
key generation as outlined in the documentation.  I've been able to
kinit just fine with my migrated users.

Below are the few errors I've noticed.

* When I ssh into an enrolled host using a migrated user's credentials I
get this error:

   id: cannot find name for group ID 104600003\

Does a group exist with that GID? You can try something like:

$ ipa group-find --gid=104600003

* I see this error in my dirsrv-EXAMPLE/errors log after changing a

   [15/Aug/2012:12:38:24 -0400] ipapwd_setPasswordHistory - [file
ipapwd_common.c, line 926]: failed to generate new password history!

It is a red herring. The default is to have no password history, so we don't generate any, then we complain that none was made! I actually have a fix in my tree I plan to propose soon.


*question everything*learn something*answer nothing*
Lucas Yamanishi
Systems Administrator, ADNET Systems, Inc.
NASA Space and Earth Science Data Analysis (606.9)
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A

On 08/16/2012 05:00 PM, Steven Jones wrote:

What is the default length of time the sssd daemon on a client caches for once 
IPA is off line pls?

Is there any practical way to take the user info from one ipa instance/domain 
and import it into another?  I know the client machines will have to have ipa 
un-installed and resetting users passwords are not biggees I'd just not rather 
have to input all the groups and hbac rules by hand.


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

Freeipa-users mailing list

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to