Tamas Papp wrote:

On 06/10/2015 03:35 PM, Martin Kosek wrote:
On 06/10/2015 03:32 PM, Christopher Lamb wrote:
Hi Tamas

I think the general advice is to replicate rather than to migrate. I am
sure Martin K will jump in on this.
Yes :-)

However some weeks ago, when doing a very similar move to yours, we
to migrate (we were misled by some very old FreeIPA docus that have
been archived).

In our case passwords were successfully migrated, so the users were
able to
use the same user / password combo as before.

I will see if I can dig out the migrate command we used at the time.
Did you use the migration command advised in


hi Martin,


I would be satisfied with this procedure.

However, earlier you (actually Dmitri) posted a different one:


Which is the right one?
In my opinion the second one is too complicated, I would rather choose
'ipa migrate-ds' (we don't have machine accounts).

They are both right, in the right context.

While there are a number of steps involved in creating an EL 7 master from an EL 6 install, you retain all current data and clients, assuming you are using DNS SRV records, probably won't notice at all.

ipa-migrate-ds only migrates users and groups so you'll lose all sudo, HBAC, automount, automember and more rules, plus netgroups and hostgroups. You'd have to manually re-add all of these. You'll also end up with a new CA (with the same name) and have to re-enroll all your clients.

Creating a new master is probably a lot easier and less disruptive. You'd want to leave both the EL 6 and 7 masters running for a bit (probably days, not months) to be sure everything is working ok. Be sure to add a new user or group on the EL 7 master before decommissionin gthe EL 6 one. And don't forget to use the --setup-ca option when creating the EL 7 master.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to