> The first time your migrated production users authenticate with their > password their Kerberos credentials will be generated.
Is there a way to avoid this? I had to do that for importing shadow files originally in DR. now, i'm going from freeipa to freeipa. if i export kerberos attributes will that avoid users having to regenerate the kerberos credentials? Thanks, Les ________________________________________ From: Rob Crittenden [rcrit...@redhat.com] Sent: Saturday, January 18, 2014 1:36 AM To: Martin Kosek; Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] export users/groups from one ipa server to another Martin Kosek wrote: > On 01/17/2014 07:24 AM, Les Stott wrote: >> Hi All, >> >> Looking for the quickest and easiest way to export users from one freeipa >> server and install on another. >> >> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. >> I am setting up an identical freeipa server in a Production Environment. >> >> The two environments will not be configured to talk to each other. They will >> both have there own replicas. >> >> I simply want to export the users and groups I created in freeipa in DR, and >> import them (preserving details and passwords) into the freeipa server in >> Production. >> >> What is the recommendation? Is there an ipa tool? Or will ldif exports >> suffice? >> >> Thanks in advance, >> >> Les > > I think the best way would be to use the "ipa migrate-ds" command. It should > work both with stand alone Directory Servers and IPA too. You may just need to > play with --userignoreobjectclass amd userignoreattribute to not migrate > Kerberos related attributes and objectclasses if for example your other DS has > a different realm. Kerberos attributes are already excluded by default. You'll need to enable password migration mode on the production IPA server, ipa config-mod --enable-migration=true The first time your migrated production users authenticate with their password their Kerberos credentials will be generated. rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
