lejeczek wrote:
On 15/03/16 13:42, Rob Crittenden wrote:
lejeczek wrote:
On 14/03/16 17:06, Rob Crittenden wrote:
lejeczek wrote:
with...

ipa: ERROR: group LDAP search did not return any result (search base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?
Yes. It will skip over anything that already exists in IPA.
thanks Rob, may I ask why process by defaults looks up only objectclass:
groupofuniquenames, groupofnames?
It is conservative but this is why it can be overridden.

Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?
We haven't had many (any?) reports of migrating from ldap+samba.

Lastly, is there a way to preserve  account locked/disabled status for
posix/samba?
I don't know how it is stored but as long as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob
I don't think it works, I guess it matters how ipa tools map these
attributes, I'm particularly looking at:
ipa user-show
... Account disabled: False
sambaAcctFlags gets migrated over, but shadow locked users.... I wonder
how this works.
If I had posix !passwd in my ldap userdb then it's not reflected in IPA,
unless "Account disabled" is for something else.

IPA/389-ds uses nsAccountLock to lock accounts.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to