On 3/17/15 12:29 PM, Martin Kosek wrote: > 1) Migrate users via SSSD and simply SSH or log in to any machine enrolled to > the new IPA, as I showed in the example
I'll have my users who need working kerberos ssh in. The union of the set of users who need kerberos and users who ssh is a circle. ;) > 2) Implement your own migration tool, doing an LDAP BIND for the migrated user > (this is what SSSD does too anyway). > > 3) (hackish) Until the potential ticket is fixed, you can try to fix > /usr/share/ipa/migration/migration.py on the IPA server yourself. This is the > migration script that is used. If you actually fix it, you may even think > about > contributing the fix to FreeIPA project as a patch, it would be very welcome > :-) I looked at the script and I don't know python or how the binding stuff is set up enough to understand making a patch, but I have at least created an issue: https://fedorahosted.org/freeipa/ticket/4953 Thanks again for your help. I've been banging my head on getting away from our broken old FreeIPA server for quite some time. -- Benjamin Reed The OpenNMS Group http://www.opennms.org/
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
