So given my RHEL6 machine started on an older FreeIPA 3.0, was a
self-signed cert, and has gone through all kinds of hell and I'm having
an impossible time setting up new master(s), I've decided to start over.

I installed the EPEL7 FreeIPA 4.1.3 RPMs, in the hopes that being on the
latest would give me the best chance at migrating.

I did the following:

--- 8< ---
ipa-server-install
ipa config-mod --enable-migration=true
ipa-compat-manage disable
service ipa restart # ipa-compat-manage wants a restart
ipa migrate-ds \
    --bind-dn=uid=admin,cn=users,cn=accounts,dc=XXX,dc=XXX \
    --user-container=cn=users,cn=accounts \
    --group-container=cn=groups,cn=accounts \
    --group-overwrite-gid \
    ldap://XXX:389
ipa-compat-manage enable
ipa-config-mod --enable-mogration=false
service ipa restart
--- 8< ---

It all seems to have (kinda) worked, I can log in to the UI as admin and
see all of my users and groups.  There are a couple of snags.

1. When the migration completed, it said:

> Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.

If I try to actually do this as a regular user, the web UI just says:

> The password or username you entered is incorrect. Please try again
> (make sure your caps lock is off).
> If the problem persists, contact your administrator.

I'm not sure where to look in the logs to figure out what's going on,
but nothing in the kerberos logs jump out at me.  The dirsrv log has these:

> [16/Mar/2015:14:43:21 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=XXX,dc=XXX--no CoS Templates found, which should
> be added before the CoS Definition.
> [16/Mar/2015:14:43:21 -0400] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=XXX,dc=XXX--no CoS Templates found, which should
> be added before the CoS Definition.

...which seems fishy.

2. If I manually reset my user's password in the UI and then try to log
in as that user, it does work, but I'd like to avoid having to
hand-reset every single user's account for obvious reasons.  When I *do*
log in as my reset user, I always get this on the shell:

> id: cannot find name for group ID 18600003

That gid is the `ipausers` GID from the old server.  It appears that
modern FreeIPA doesn't assign a GID to `ipausers` which is fine, but I
can't figure out how to *remove* the old GID from existing users and
have everything be correct.  I've tried adding a group and forcing its
GID to match the missing GID and deleting it again, but now it just
seems to have cached it... when I do an `id` on my user, it still shows
my user's GID as being 18600003(temp) even though the "temp" group has
been removed.

Any ideas how to do this migration properly?

Thanks,
Ben

-- 
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to