[Freeipa-users] Re: ipa migrate-ds - From EL7 to EL8/9
Hi, On Wed, May 10, 2023 at 1:43 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > Hi, > > > > if you want to install a RHEL8 or RHEL9 server with the same domain name, > > the recommended procedure would be to install a RHEL8 replica from your > > RHEL7 server, then a RHEL9 replica from your RHEL8 server. > > You can check this documentation: > > > >- Migrating your IdM environment from RHEL 7 servers to RHEL 8 servers > >[1] > >- Migrating your IdM environment from RHEL 8 servers to RHEL 9 servers > >[2] > > > > ipa migrate-ds is used when the new domain name is different from the old > > one and does not migrate all the data (only users and groups are > migrated, > > not HBAC rules, sudo rules etc...). On the contrary, installation of a > > replica does not lose any data. And you don't need to worry about the > SIDs. > > > > HTH, > > flo > > > > [1] > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/. > .. > > [2] > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/. > .. > > > > On Tue, May 9, 2023 at 2:35 PM Finn Fysj via FreeIPA-users < > > freeipa-users(a)lists.fedorahosted.org wrote: > Thank you for replying to me, Florence. > > I'm aware that the recommneded method of migrating is: RHEL 7 > 8 > 9. > However, I would like to do RHEL 7 > 9. I have tried this is a small test > lab and it seems to be somewhat, OK. As I'm only interested in Users/Group. > > As additoinal information; We will use the same Domain Name for the new > instance aswell, though we do not want to install this as a replica part of > existing old one. > Are there anything else we should look out for or be aware of? E.g Client > already enrolled in Old Ipa instance? > If the ipa migrate-ds method is used, users and groups will be copied to the new server but not the hosts. Any enrolled client will remain enrolled to the old server, and will be completely unaware of the new server. If you want to enroll the existing clients to the new server, you will have to un-enroll them from the old one (ipa-client-install --uninstall), then enroll to the new one (ipa-client-install ...). The ipa migrate-ds command also needs to be provided with parameters to ignore the SID attribute (*--user-ignore-objectclass **ipantuserattrs --user-ignore-attribute ipaNTSecurityIdentifier --group-ignore-objectclass ipantuserattrs --group-ignore-attribute ipaNTSecurityIdentifier* should do the trick). HTH, flo > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipa migrate-ds - From EL7 to EL8/9
> Hi, > > if you want to install a RHEL8 or RHEL9 server with the same domain name, > the recommended procedure would be to install a RHEL8 replica from your > RHEL7 server, then a RHEL9 replica from your RHEL8 server. > You can check this documentation: > >- Migrating your IdM environment from RHEL 7 servers to RHEL 8 servers >[1] >- Migrating your IdM environment from RHEL 8 servers to RHEL 9 servers >[2] > > ipa migrate-ds is used when the new domain name is different from the old > one and does not migrate all the data (only users and groups are migrated, > not HBAC rules, sudo rules etc...). On the contrary, installation of a > replica does not lose any data. And you don't need to worry about the SIDs. > > HTH, > flo > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/... > [2] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/... > > On Tue, May 9, 2023 at 2:35 PM Finn Fysj via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org wrote: Thank you for replying to me, Florence. I'm aware that the recommneded method of migrating is: RHEL 7 > 8 > 9. However, I would like to do RHEL 7 > 9. I have tried this is a small test lab and it seems to be somewhat, OK. As I'm only interested in Users/Group. As additoinal information; We will use the same Domain Name for the new instance aswell, though we do not want to install this as a replica part of existing old one. Are there anything else we should look out for or be aware of? E.g Client already enrolled in Old Ipa instance? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: ipa migrate-ds - From EL7 to EL8/9
Hi, if you want to install a RHEL8 or RHEL9 server with the same domain name, the recommended procedure would be to install a RHEL8 replica from your RHEL7 server, then a RHEL9 replica from your RHEL8 server. You can check this documentation: - Migrating your IdM environment from RHEL 7 servers to RHEL 8 servers [1] - Migrating your IdM environment from RHEL 8 servers to RHEL 9 servers [2] ipa migrate-ds is used when the new domain name is different from the old one and does not migrate all the data (only users and groups are migrated, not HBAC rules, sudo rules etc...). On the contrary, installation of a replica does not lose any data. And you don't need to worry about the SIDs. HTH, flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrate-7-to-8_migrating [2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9 On Tue, May 9, 2023 at 2:35 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Planning to migrate users and groups from an old dusty IPA server running > Red Hat Enterprise Linux 7 to RHEL9. > I'm aware of SID issues from following thread: > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/MO63NXS63KSI6QJMZRN6JK32VUGKEICH/ > > Should I ignore the attribute `ipaNTSecurityIdentifier` when migrating > from old to new instance? > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
