On 03/16/2015 03:49 PM, Steven Jones wrote:

Our present IPA started on RHEL6.2 (I think) and has a self-signed cert which  
has the wrong encoding.   I am just replacing it now, its preventing RHEL7.1 

Now I am waiting on a BZ, so upgrading to RHEL7.1 isnt easy or quick.


From: freeipa-users-boun...@redhat.com <freeipa-users-boun...@redhat.com> on behalf 
of Benjamin Reed <ran...@opennms.org>
Sent: Tuesday, 17 March 2015 8:01 a.m.
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Gave Up on RHEL6->7 migration, starting over. (ipa 

So given my RHEL6 machine started on an older FreeIPA 3.0, was a
self-signed cert, and has gone through all kinds of hell and I'm having
an impossible time setting up new master(s), I've decided to start over.

I installed the EPEL7 FreeIPA 4.1.3 RPMs, in the hopes that being on the
latest would give me the best chance at migrating.

I did the following:

--- 8< ---
ipa config-mod --enable-migration=true
ipa-compat-manage disable
service ipa restart # ipa-compat-manage wants a restart
ipa migrate-ds \
     --bind-dn=uid=admin,cn=users,cn=accounts,dc=XXX,dc=XXX \
     --user-container=cn=users,cn=accounts \
     --group-container=cn=groups,cn=accounts \
     --group-overwrite-gid \
ipa-compat-manage enable
ipa-config-mod --enable-mogration=false
service ipa restart
--- 8< ---

It all seems to have (kinda) worked, I can log in to the UI as admin and
see all of my users and groups.  There are a couple of snags.

1. When the migration completed, it said:

Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
If I try to actually do this as a regular user, the web UI just says:

The password or username you entered is incorrect. Please try again
(make sure your caps lock is off).
If the problem persists, contact your administrator.
I'm not sure where to look in the logs to figure out what's going on,
but nothing in the kerberos logs jump out at me.  The dirsrv log has these:

Do not turn the migration off using ipa-config-mod --enable-mogration=false until your users migrated their passwords.
The migration UI would not work if migration mode is turned off.

[16/Mar/2015:14:43:21 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=XXX,dc=XXX--no CoS Templates found, which should
be added before the CoS Definition.
[16/Mar/2015:14:43:21 -0400] - Skipping CoS Definition cn=Password
Policy,cn=accounts,dc=XXX,dc=XXX--no CoS Templates found, which should
be added before the CoS Definition.
...which seems fishy.

This is something for the team to take a look at.
I can't say whether is an issue or a red herring.

2. If I manually reset my user's password in the UI and then try to log
in as that user, it does work, but I'd like to avoid having to
hand-reset every single user's account for obvious reasons.  When I *do*
log in as my reset user, I always get this on the shell:

id: cannot find name for group ID 18600003

Did you clean the SSSD cache on the client?

That gid is the `ipausers` GID from the old server.  It appears that
modern FreeIPA doesn't assign a GID to `ipausers` which is fine, but I
can't figure out how to *remove* the old GID from existing users and
have everything be correct.  I've tried adding a group and forcing its
GID to match the missing GID and deleting it again, but now it just
seems to have cached it... when I do an `id` on my user, it still shows
my user's GID as being 18600003(temp) even though the "temp" group has
been removed.

Any ideas how to do this migration properly?

You want to flush caches on the clients for thing to work properly after such migration. These recommendations will get you further, let us know if you see any other issues.


Benjamin Reed
The OpenNMS Group

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to