Lucas Yamanishi wrote:
On 08/20/2012 12:09 PM, Lucas Yamanishi wrote:
On 08/20/2012 08:44 AM, Rob Crittenden wrote:
Lucas Yamanishi wrote:
On 08/17/2012 08:38 AM, Rob Crittenden wrote:
Lucas Yamanishi wrote:
On 08/16/2012 05:39 PM, Rob Crittenden wrote:
Lucas Yamanishi wrote:
On 08/16/2012 05:32 PM, Rob Crittenden wrote:
Lucas Yamanishi wrote:
I just migrated my IPA instance from one to another a couple days
ago to
recover after a lost CA and failed yum upgrade. The "ipa
migrate-ds"
tool works very well, though I am having a few very minor
issues. On
the upside, as far as I can tell, you can skip the steps about
Kerberos
key generation as outlined in the documentation. I've been able to
kinit just fine with my migrated users.
Below are the few errors I've noticed.
* When I ssh into an enrolled host using a migrated user's
credentials I
get this error:
id: cannot find name for group ID 104600003\
Does a group exist with that GID? You can try something like:
$ ipa group-find --gid=104600003
The group doesn't exist. The GID is the counterpart to my UID.
Try adding --private.
rob
Nope. It doesn't exist.
Other groups migrated. Why would the private groups fail?
I don't know, what have you done to date, including versions?
rob
I've been following the stable Scientific Linux releases since 6.1.
Based on repo archives, I guess that would be 2.0.0-23.el6.x86_64. The
version was at 2.2.0-16.el6.x86_64 when I migrated, which I had just
upgraded from 2.1.3-9.el6.x86_64. I migrated to and use now
2.2.0-16.el6.x86_64.
So...
2.0.0-23.el6.x86_64 -> 2.1.3-9.el6.x86_64 -> 2.2.0-16.el6.x86_64 ---->
2.2.0-16.el6.x86_64
Can you verify that managed entries are configured:
# ipa-managed-entries -l
It should return:
UPG Definition
NGP Definition
This enables user-private groups and netgroup-private groups.
rob
Yes. That returned as expected.
The why and how of this aside, is there any easy way to repopulate all
my private groups?
You'll need to use ldapmodify to achieve this, and add the missing
values to each user and group separately. This should be relatively
easily scriptable.
Here is what it looks like to convert a single user/group. I created it
by adding the user with --gid=### and --noprivate, then creating a group
of the same name and with the gid of the user.
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 56
SASL data security layer installed.
dn: cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com
changetype: modify
replace: objectclass
objectclass: top
objectclass: posixgroup
objectclass: ipaobject
objectclass: mepManagedEntry
-
add: mepmanagedby
mepmanagedby: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
modifying entry "cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com"
$ ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL SSF: 56
SASL data security layer installed.
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: mepOriginEntry
-
add: mepmanagedentry
mepmanagedentry: cn=tuser1,cn=groups,cn=accounts,dc=example,dc=com
modifying entry "uid=tuser1,cn=users,cn=accounts,dc=example,dc=com"
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
