Tamas Papp wrote:
On 06/10/2015 03:35 PM, Martin Kosek wrote:
On 06/10/2015 03:32 PM, Christopher Lamb wrote:
I think the general advice is to replicate rather than to migrate. I am
sure Martin K will jump in on this.
However some weeks ago, when doing a very similar move to yours, we
to migrate (we were misled by some very old FreeIPA docus that have
In our case passwords were successfully migrated, so the users were
use the same user / password combo as before.
I will see if I can dig out the migrate command we used at the time.
Did you use the migration command advised in
I would be satisfied with this procedure.
However, earlier you (actually Dmitri) posted a different one:
Which is the right one?
In my opinion the second one is too complicated, I would rather choose
'ipa migrate-ds' (we don't have machine accounts).
They are both right, in the right context.
While there are a number of steps involved in creating an EL 7 master
from an EL 6 install, you retain all current data and clients, assuming
you are using DNS SRV records, probably won't notice at all.
ipa-migrate-ds only migrates users and groups so you'll lose all sudo,
HBAC, automount, automember and more rules, plus netgroups and
hostgroups. You'd have to manually re-add all of these. You'll also end
up with a new CA (with the same name) and have to re-enroll all your
Creating a new master is probably a lot easier and less disruptive.
You'd want to leave both the EL 6 and 7 masters running for a bit
(probably days, not months) to be sure everything is working ok. Be sure
to add a new user or group on the EL 7 master before decommissionin gthe
EL 6 one. And don't forget to use the --setup-ca option when creating
the EL 7 master.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project