Janelle wrote:
The groups don't go on the 2nd pass because they already went on the
first meant. I meant to reply to this the other day as I have had a lot
of experience with re-running migration. Group membership for an already
existing group, does NOT come over on the 2nd pass. I have found it is
better to start fresh if you want a clean migration. Or, better yet,
gather the group memberships via LDAP and migrate them by hand with a
friendly script. I through one together to do that pretty easily.
Right, if a group already exists it is assumed to have either been
migrated successfully or was a pre-existing group, in either case no
further action is taken.
rob
~J
On 3/15/16 10:22 AM, Rob Crittenden wrote:
lejeczek wrote:
On 15/03/16 14:14, lejeczek wrote:
On 15/03/16 13:42, Rob Crittenden wrote:
lejeczek wrote:
On 14/03/16 17:06, Rob Crittenden wrote:
lejeczek wrote:
with...
ipa: ERROR: group LDAP search did not return any result (search
base:
ou=groups,dc=ccnr,dc=biotechnology, objectclass:
groupofuniquenames,
groupofnames)
I see users went in but later I realized that current samba's ou
was
"group" not groups.
Can I just re-run migrations?
Yes. It will skip over anything that already exists in IPA.
thanks Rob, may I ask why process by defaults looks up only
objectclass:
groupofuniquenames, groupofnames?
It is conservative but this is why it can be overridden.
Is there a reason it skips ldap+samba typical posixGroup &
sambaGroupMapping?
We haven't had many (any?) reports of migrating from ldap+samba.
Lastly, is there a way to preserve account locked/disabled status for
posix/samba?
I don't know how it is stored but as lon
g as the schema is available in
IPA then the values should be preserved on migration unless the
attributes are associated with a blacklisted objectclass.
rob
last - this must most FAQ people wonder - can IPA's 389 backend be
used in the same/similar fashion samba uses ldap? skipping all the
kerberos bits? (samba & IPA on the same one box)
this might be more 389-ds related - in old days I remember DS had
mozldap dedicated toolset, how is it these days? How do users deal
with 389-ds IPA-related bits?
many thanks
now when I've groups migrated I see mappings user-group are lost. Would
it be because my groups did not go in first time together with users?
Need more info. What do you mean by mappings are lost?
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
