Rene Trippen wrote:

I`ve got an IPA with a broken CA infrastructure (don`t know what
happened, but new clients cannot be registered)
It is even not possible to setup a new replica.

It may be fairly straightforward to getting the CA back up. How is it broken?

So, I wanted to setup a new IPA Server with new CA, and I want to move
all users with their passwords to the new IPA instance.
I`ve tried with 'ipa migrate-ds'

ipa migrate-ds --continue --bind-dn="cn=Directory Manager"
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--group-overwrite-gid --with-compat ldap://<ldapserver>

The output is OK
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.

But  the ipa/migration website is not working for me.
Anyway, is there a way to export the users with passwords? I think I
have to export some kerberos specific stuff from the old IPA?

The log file /var/log/httpd/error_log may have details on what isn't working.

The way to export users with passwords is the method you've already tried. To not have to change a password at all would require the same Kerberos master key and these are generated randomly at install time.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to