> The first time your migrated production users authenticate with their
> password their Kerberos credentials will be generated.
Is there a way to avoid this?
I had to do that for importing shadow files originally in DR. now, i'm going
from freeipa to freeipa. if i export kerberos attributes will that avoid users
having to regenerate the kerberos credentials?
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Saturday, January 18, 2014 1:36 AM
To: Martin Kosek; Les Stott; firstname.lastname@example.org
Subject: Re: [Freeipa-users] export users/groups from one ipa server to another
Martin Kosek wrote:
> On 01/17/2014 07:24 AM, Les Stott wrote:
>> Hi All,
>> Looking for the quickest and easiest way to export users from one freeipa
>> server and install on another.
>> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment.
>> I am setting up an identical freeipa server in a Production Environment.
>> The two environments will not be configured to talk to each other. They will
>> both have there own replicas.
>> I simply want to export the users and groups I created in freeipa in DR, and
>> import them (preserving details and passwords) into the freeipa server in
>> What is the recommendation? Is there an ipa tool? Or will ldif exports
>> Thanks in advance,
> I think the best way would be to use the "ipa migrate-ds" command. It should
> work both with stand alone Directory Servers and IPA too. You may just need to
> play with --userignoreobjectclass amd userignoreattribute to not migrate
> Kerberos related attributes and objectclasses if for example your other DS has
> a different realm.
Kerberos attributes are already excluded by default.
You'll need to enable password migration mode on the production IPA
server, ipa config-mod --enable-migration=true
The first time your migrated production users authenticate with their
password their Kerberos credentials will be generated.
Freeipa-users mailing list