On 01/17/2014 11:06 PM, Dmitri Pal wrote:
> On 01/17/2014 03:59 PM, Rob Crittenden wrote:
>> Les Stott wrote:
>>>> The first time your migrated production users authenticate with their
>>>> password their Kerberos credentials will be generated.
>>> Is there a way to avoid this?
>>> I had to do that for importing shadow files originally in DR. now,
>>> i'm going from freeipa to freeipa. if i export kerberos attributes
>>> will that avoid users having to regenerate the kerberos credentials?
>> No. The kerberos master keys are different.
> Unless you want to copy master keys over.
> This is a complex manual procedure. You can probably find it in the
> archives as we helped people with it couple times but it is not recommended.
> May be we should open an RFE to develop a tool that would do
> ipa-migrate-ipa and can be used to move data from POC to production.
We have a RFE open for that feature already:
I added a reference to this discussion on the list. Contributions or other
ideas are very welcome!
Freeipa-users mailing list