On 3/17/15 12:29 PM, Martin Kosek wrote:
> 1) Migrate users via SSSD and simply SSH or log in to any machine enrolled to
> the new IPA, as I showed in the example

I'll have my users who need working kerberos ssh in.  The union of the
set of users who need kerberos and users who ssh is a circle.  ;)

> 2) Implement your own migration tool, doing an LDAP BIND for the migrated user
> (this is what SSSD does too anyway).
> 3) (hackish) Until the potential ticket is fixed, you can try to fix
> /usr/share/ipa/migration/migration.py on the IPA server yourself. This is the
> migration script that is used. If you actually fix it, you may even think 
> about
> contributing the fix to FreeIPA project as a patch, it would be very welcome 
> :-)

I looked at the script and I don't know python or how the binding stuff
is set up enough to understand making a patch, but I have at least
created an issue: https://fedorahosted.org/freeipa/ticket/4953

Thanks again for your help.  I've been banging my head on getting away
from our broken old FreeIPA server for quite some time.

Benjamin Reed
The OpenNMS Group

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to