On 01/17/2014 11:06 PM, Dmitri Pal wrote: > On 01/17/2014 03:59 PM, Rob Crittenden wrote: >> Les Stott wrote: >>>> The first time your migrated production users authenticate with their >>>> password their Kerberos credentials will be generated. >>> >>> Is there a way to avoid this? >>> >>> I had to do that for importing shadow files originally in DR. now, >>> i'm going from freeipa to freeipa. if i export kerberos attributes >>> will that avoid users having to regenerate the kerberos credentials? >> >> No. The kerberos master keys are different. > > Unless you want to copy master keys over. > This is a complex manual procedure. You can probably find it in the > archives as we helped people with it couple times but it is not recommended. > > May be we should open an RFE to develop a tool that would do > ipa-migrate-ipa and can be used to move data from POC to production.
We have a RFE open for that feature already: https://fedorahosted.org/freeipa/ticket/3656 I added a reference to this discussion on the list. Contributions or other ideas are very welcome! Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users