lejeczek wrote:
On 15/03/16 15:57, Rob Crittenden wrote:
lejeczek wrote:
On 15/03/16 13:42, Rob Crittenden wrote:
lejeczek wrote:
On 14/03/16 17:06, Rob Crittenden wrote:
lejeczek wrote:
with...

ipa: ERROR: group LDAP search did not return any result (search
base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
groupofnames)

I see users went in but later I realized that current samba's ou was
"group" not groups.
Can I just re-run migrations?
Yes. It will skip over anything that already exists in IPA.
thanks Rob, may I ask why process by defaults looks up only
objectclass:
groupofuniquenames, groupofnames?
It is conservative but this is why it can be overridden.

Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?
We haven't had many (any?) reports of migrating from ldap+samba.

Lastly, is there a way to preserve account locked/disabled status for
posix/samba?
I don't know how it is stored but as long as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.

rob
I don't think it works, I guess it matters how ipa tools map these
attributes, I'm particularly looking at:
ipa user-show
... Account disabled: False
sambaAcctFlags gets migrated over, but shadow locked users.... I wonder
how this works.
If I had posix !passwd in my ldap userdb then it's not reflected in IPA,
unless "Account disabled" is for something else.

IPA/389-ds uses nsAccountLock to lock accounts.
and in my case it could not work for I had (anybody sane would too)
hashed pass in ldap userdb, am I right?

What won't work? Migrated user passwords will work just fine.

If one has hundreds of user s/he thinks, o! it'd be great to keep that
account enabled/disabled status - would there be a way around it?

IPA isn't designed to be an LDAP backend for Samba so there isn't a lot of direct integration with the schema. You could write a plugin to keep the two attributes in sync.

For those already migrated it should be pretty easy to write an LDAP search to find them and then for each user call ipa user-disable <user>

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to