Re: [Freeipa-users] FreeIPA 3.3.3-28 Integration with Samba 4.1.1-37 Problems
Interestingly enough, I have almost the same setup here. I did an ipa-server install, then did ipa-adtrust-install. Afterward, I went through and grabbed the configs with 'net conf list' and modified it to use my shares. This one is just my testing, but the production one works perfectly! How did you import your users? I did mine my setting up an openldap and importing an ldif with the proper DN values. Then ran ipa migrate-ds. In some cases, certain data didn't migrate, so I added that with ldapmodify as necessary. Here's what my samba config looks like with 'net conf list'. It seems it's pretty much the same as yours. Except for mine working, of course. [global] workgroup = EXAMPLE realm = EXAMPLE.COM passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab log file = /var/log/samba/log.%m max log size = 10 disable spoolss = Yes domain logons = Yes domain master = Yes ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ldap suffix = dc=example,dc=com ldap ssl = no ldap user suffix = cn=users,cn=accounts registry shares = Yes create krb5 conf = No rpc_daemon:lsasd = fork rpc_daemon:epmd = fork rpc_server:tcpip = yes rpc_server:netlogon = external rpc_server:samr = external rpc_server:lsasd = external rpc_server:lsass = external rpc_server:lsarpc = external rpc_server:epmapper = external ldapsam:trusted = yes idmap config * : backend = tdb [homes] browseable = no comment = Home Directories read only = no [share1] browseable = yes read only = no path = /srv/samba/share1 comment = Temporary Public Share valid users = @testgroup Cheers, herlo On Tue, Oct 28, 2014 at 12:36 PM, Jason Smith jasonsm...@attask.com wrote: A little history. We migrated from an OpenLDAP system to FreeIPA. The IPA version is listed above. I have samba installed and integrated directly on the FreeIPA box. The problem we're having are users who were migrated can no longer can see the samba shares. We are connecting to these shares through Mac OSX. When accessing the share with smbclient -L mydom...@domain.com I get the response *session setup failed: NT_STATUS_CONNECTION_DISCONNECTED. *This is the response I get when connected to the FreeIPA/Samba box. Users were able to access these shares, then overnight, they weren't. No changes were made to the samba config or the FreeIPA. *Any new user created through FreeIPA can see and browse any share they have access to.* If there's any other information needed, please let me know. Thank you!!! Below are a couple configs I have set: *Samba global settings* [global] workgroup = ATTASK netbios name = IPA01 realm = ATTASK.CORP passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-ATTASK-CORP.socket kerberos method = dedicated keytab dedicated keytab file = FILE:/etc/samba/samba.keytab log file = /var/log/samba/log.%m max log size = 10 disable spoolss = Yes domain logons = Yes domain master = Yes ldap group suffix = cn=groups,cn=accounts ldap machine suffix = cn=computers,cn=accounts ldap suffix = dc=attask,dc=corp ldap ssl = no ldap user suffix = cn=users,cn=accounts registry shares = Yes create krb5 conf = No rpc_daemon:lsasd = fork rpc_daemon:epmd = fork rpc_server:tcpip = yes rpc_server:netlogon = external rpc_server:samr = external rpc_server:lsasd = external rpc_server:lsass = external rpc_server:lsarpc = external rpc_server:epmapper = external ldapsam:trusted = yes idmap config * : backend = tdb *User Not Working:* dn: uid=test,cn=users,cn=accounts,dc=attask,dc=corp uid: test sn: test cn: test mail: t...@test.com nsaccountlock: False has_password: True has_keytab: True dialupAccess: yes displayName: test test emailPassword: YTdiMDE4Y2Q1N2QwOWJjZTg0OWMxZThjNTgyNTFmNTlw== gidNumber: 107001365 givenName: test homeDirectory: /home/test ipaNTSecurityIdentifier: S-1-5-21-1103557689-1565082434-1264062975-2355 ipaUniqueID: 607de82c-562b-11e4-b263-5254003b1df7 krbExtraData: AAJwtE9Ucm9vdC9hZG1pbkdvvBBVFR09SUAA= krbLastFailedAuth: 20141028151647Z krbLastPwdChange: 20141028152120Z krbLastSuccessfulAuth: 20141028152012Z krbLoginFailedCount: 0 krbPasswordExpiration: 20150122152120Z krbPrincipalName: t...@attask.corp krbTicketFlags: 128 loginShell: /sbin/nologin memberof: cn=ipausers,cn=groups,cn=accounts,dc=attask,dc=corp memberof: cn=attask,cn=groups,cn=accounts,dc=attask,dc=corp memberof: cn=clientservices,cn=groups,cn=accounts,dc=attask,dc=corp objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: organizationalperson
Re: [Freeipa-users] Migration fails with custom objectClasses
On Thu, Oct 16, 2014 at 12:59 PM, Rich Megginson rmegg...@redhat.com wrote: On 10/16/2014 11:42 AM, Clint Savage wrote: The access log had that information. And this error log: https://www.dropbox.com/s/ak6za0dkr0cn7ay/errors.20141010-132318 There unfortunately doesn't seem to be a debug log level that will tell the server to dump the add request with all arguments. The best bet would be to get the ipa migrate tool to dump it's commands to LDIF format, then we can look at it and figure out what it is doing wrong. I don't know if that's possible. Does anyone know how to accomplish what Rich suggests above? Thanks, Clint -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails with custom objectClasses
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.16 NAME 'radiusFramedIPXNetwork' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddress' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE) - add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - add: attributeTypes attributeTypes: ( 2.16.840.1.113730.3.1.684 NAME 'nsds5ReplicaChangeCount' DESC 'Netscape defined attribute type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) - add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.13 NAME 'radiusFramedCompression' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - add: attributeTypes attributeTypes: ( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - add: objectClasses objectClasses: ( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC '' SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radius ArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $ radiusFramedCompression $ radiusFramedIPAddress $ radiusFramedIPNetmask $ radiusFramedIPXNetwork $ radiusFramedMTU $ radiusFramedProtocol $ radiusCheckItem $ radiusReplyItem $ radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $ radiusGroupName $ radiusHint $ radiusHuntgroupName $ radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $ radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $ radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $ radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $ radiusRealm $ radiusReplicateToRealm $ radiusServiceType $ radiusSessionTimeout $ radiusStripUserName $ radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $ radiusSimultaneousUse $ radiusTunnelAssignmentId $ radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $ radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCategory $ radiusVSA $ radiusExpiration $ dialupAccess $ radiusNASIpAddress $ radiusReplyMessage ) ) I'm happy to provide any other data necessary as well. Thanks, Clint On Wed, Oct 15, 2014 at 7:02 AM, Simo Sorce s...@redhat.com wrote: On Tue, 14 Oct 2014 10:58:36 -0600 Clint Savage her...@gmail.com wrote: Hi all, I've been working on a migration plan using three custom user objectClasses and one group objectclass. In my attempt, I've setup an openldap server with the proper schemas, imported the ldif and have records that look something like this in ldif format. --- dn: dc=example,dc=com objectClass: top objectClass: domain dc: example dn: ou=Groups,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: uid=amyengh,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: organizationalPerson objectClass: person objectClass: radiusProfile objectClass: sambaSamAccount objectClass: customPersonAttributes cn: Amy Engh gidNumber: 1141801056 homeDirectory: /home/amyengh sn: Engh uid: amyengh uidNumber: 1141801056 displayName: Amy Engh givenName: Amy loginShell: /sbin/nologin mail: amye...@attask.com userPassword:: REDACTED dialupAccess: yes radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1421 radiusTunnelType: VLAN emailPassword:: REDACTED sambaAcctFlags: [U ] sambaLMPassword: REDACTED sambaNTPassword: REDACTED sambaPasswordHistory: 00 00 sambaPwdLastSet: 1402698001
Re: [Freeipa-users] Migration fails with custom objectClasses
$ rpm -q ipa-server ipa-server-3.3.3-28.el7.centos.1.x86_64 I was thinking that this might be an issue with the rhel7 version. I'm going to be trying the same migration tonight on rhel6. I know the IPA version is older, and samba stuff might not work as it does in 3.3. I haven't looked in RHEL 6.6 yet to see what version of IPA is available. Clint On Wed, Oct 15, 2014 at 1:16 PM, Rob Crittenden rcrit...@redhat.com wrote: Ludwig Krispenz wrote: On 10/14/2014 06:58 PM, Clint Savage wrote: Hi all, I've been working on a migration plan using three custom user objectClasses and one group objectclass. In my attempt, I've setup an openldap server with the proper schemas, imported the ldif and have records that look something like this in ldif format. --- dn: dc=example,dc=com objectClass: top objectClass: domain dc: example dn: ou=Groups,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: uid=amyengh,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: organizationalPerson objectClass: person objectClass: radiusProfile objectClass: sambaSamAccount objectClass: customPersonAttributes cn: Amy Engh gidNumber: 1141801056 homeDirectory: /home/amyengh sn: Engh uid: amyengh uidNumber: 1141801056 displayName: Amy Engh givenName: Amy loginShell: /sbin/nologin mail: amye...@attask.com mailto:amye...@attask.com userPassword:: REDACTED dialupAccess: yes radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1421 radiusTunnelType: VLAN emailPassword:: REDACTED sambaAcctFlags: [U ] sambaLMPassword: REDACTED sambaNTPassword: REDACTED sambaPasswordHistory: 00 00 sambaPwdLastSet: 1402698001 sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146 dn: cn=amyengh,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup cn: amyengh gidNumber: 1141801056 memberUid: amyengh I then run the migration (with or without compat makes no difference) and get the following: ipa migrate-ds --with-compat --user-container=ou=People --group-container=ou=Groups --user-objectclass=posixAccount --group-objectclass=posixgroup ldap://192.168.122.210 http://192.168.122.210 --bind-dn=cn=Manager,dc=example,dc=com Password: --- migrate-ds: --- Migrated: Failed user: amyengh: Type or value exists: Failed group: amyengh: This entry already exists. type or value exists and This entry already exists are just explanations of the ldap return code, do you see anything in the 389 ds error logs ? I doubt that he would see any errors. The entry already existing is because this isn't his first migration, it is unrelated. I'm not able to reproduce this. What version of IPA is it? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration fails with custom objectClasses
On Wed, Oct 15, 2014 at 2:33 PM, Rich Megginson rmegg...@redhat.com wrote: On 10/15/2014 02:05 PM, Rob Crittenden wrote: Clint Savage wrote: $ rpm -q ipa-server ipa-server-3.3.3-28.el7.centos.1.x86_64 I was thinking that this might be an issue with the rhel7 version. I'm going to be trying the same migration tonight on rhel6. I know the IPA version is older, and samba stuff might not work as it does in 3.3. I haven't looked in RHEL 6.6 yet to see what version of IPA is available. I tested using a fairly recent IPA master build (4.1+). I'm not convinced it is related to any specific version, but different features are available so I thought I'd try to duplicate on a more similar footing (apples to apples comparision). The trick is to try to narrow down what attribute the LDAP server thinks already exists. We don't get a very nice error out of LDAP, like *what* attribute already exists, for example :-( It may be possible to set the 389-ds debug level to such that you get some decent output, but trying to find the right balance of output can be challenging. See their FAQ troubleshooting section. http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Try the ARGS (Heavy trace output debugging) level rob Clint On Wed, Oct 15, 2014 at 1:16 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Ludwig Krispenz wrote: On 10/14/2014 06:58 PM, Clint Savage wrote: Hi all, I've been working on a migration plan using three custom user objectClasses and one group objectclass. In my attempt, I've setup an openldap server with the proper schemas, imported the ldif and have records that look something like this in ldif format. --- dn: dc=example,dc=com objectClass: top objectClass: domain dc: example dn: ou=Groups,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: uid=amyengh,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: organizationalPerson objectClass: person objectClass: radiusProfile objectClass: sambaSamAccount objectClass: customPersonAttributes cn: Amy Engh gidNumber: 1141801056 homeDirectory: /home/amyengh sn: Engh uid: amyengh uidNumber: 1141801056 displayName: Amy Engh givenName: Amy loginShell: /sbin/nologin mail: amye...@attask.com mailto:amye...@attask.com mailto:amye...@attask.com mailto:amye...@attask.com userPassword:: REDACTED dialupAccess: yes radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1421 radiusTunnelType: VLAN emailPassword:: REDACTED sambaAcctFlags: [U ] sambaLMPassword: REDACTED sambaNTPassword: REDACTED sambaPasswordHistory: 00 00 sambaPwdLastSet: 1402698001 sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146 dn: cn=amyengh,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup cn: amyengh gidNumber: 1141801056 memberUid: amyengh I then run the migration (with or without compat makes no difference) and get the following: ipa migrate-ds --with-compat --user-container=ou=People --group-container=ou=Groups --user-objectclass=posixAccount --group-objectclass=posixgroup ldap://192.168.122.210 http://192.168.122.210 http://192.168.122.210 --bind-dn=cn=Manager,dc= example,dc=com Password: --- migrate-ds: --- Migrated: Failed user: amyengh: Type or value exists: Failed group: amyengh: This entry already exists. type or value exists and This entry already exists are just explanations of the ldap return code, do you see anything in the 389 ds error logs ? I doubt that he would see any errors. The entry already existing is because this isn't his first migration, it is unrelated. I'm not able to reproduce this. What version of IPA is it? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com
Re: [Freeipa-users] Migration fails with custom objectClasses
On Wed, Oct 15, 2014 at 5:04 PM, Rich Megginson rmegg...@redhat.com wrote: On 10/15/2014 04:43 PM, Clint Savage wrote: On Wed, Oct 15, 2014 at 2:33 PM, Rich Megginson rmegg...@redhat.com wrote: On 10/15/2014 02:05 PM, Rob Crittenden wrote: Clint Savage wrote: $ rpm -q ipa-server ipa-server-3.3.3-28.el7.centos.1.x86_64 I was thinking that this might be an issue with the rhel7 version. I'm going to be trying the same migration tonight on rhel6. I know the IPA version is older, and samba stuff might not work as it does in 3.3. I haven't looked in RHEL 6.6 yet to see what version of IPA is available. I tested using a fairly recent IPA master build (4.1+). I'm not convinced it is related to any specific version, but different features are available so I thought I'd try to duplicate on a more similar footing (apples to apples comparision). The trick is to try to narrow down what attribute the LDAP server thinks already exists. We don't get a very nice error out of LDAP, like *what* attribute already exists, for example :-( It may be possible to set the 389-ds debug level to such that you get some decent output, but trying to find the right balance of output can be challenging. See their FAQ troubleshooting section. http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Try the ARGS (Heavy trace output debugging) level rob Clint On Wed, Oct 15, 2014 at 1:16 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Ludwig Krispenz wrote: On 10/14/2014 06:58 PM, Clint Savage wrote: Hi all, I've been working on a migration plan using three custom user objectClasses and one group objectclass. In my attempt, I've setup an openldap server with the proper schemas, imported the ldif and have records that look something like this in ldif format. --- dn: dc=example,dc=com objectClass: top objectClass: domain dc: example dn: ou=Groups,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: uid=amyengh,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: organizationalPerson objectClass: person objectClass: radiusProfile objectClass: sambaSamAccount objectClass: customPersonAttributes cn: Amy Engh gidNumber: 1141801056 homeDirectory: /home/amyengh sn: Engh uid: amyengh uidNumber: 1141801056 displayName: Amy Engh givenName: Amy loginShell: /sbin/nologin mail: amye...@attask.com mailto:amye...@attask.com mailto:amye...@attask.com mailto:amye...@attask.com userPassword:: REDACTED dialupAccess: yes radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1421 radiusTunnelType: VLAN emailPassword:: REDACTED sambaAcctFlags: [U ] sambaLMPassword: REDACTED sambaNTPassword: REDACTED sambaPasswordHistory: 00 00 sambaPwdLastSet: 1402698001 sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146 dn: cn=amyengh,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup cn: amyengh gidNumber: 1141801056 memberUid: amyengh I then run the migration (with or without compat makes no difference) and get the following: ipa migrate-ds --with-compat --user-container=ou=People --group-container=ou=Groups --user-objectclass=posixAccount --group-objectclass=posixgroup ldap://192.168.122.210 http://192.168.122.210 http://192.168.122.210 --bind-dn=cn=Manager,dc=example,dc=com Password: --- migrate-ds: --- Migrated: Failed user: amyengh: Type or value exists: Failed group: amyengh: This entry already exists. type or value exists and This entry already exists are just explanations of the ldap return code, do you see anything in the 389 ds error logs ? I doubt that he would see any errors. The entry already existing is because this isn't his first migration, it is unrelated. I'm not able to reproduce this. What version of IPA is it? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org
Re: [Freeipa-users] Migration fails with custom objectClasses
Rich, Sorry about that. Thanks for the help. http://ur1.ca/idu6a -- should be there at least for a few days. Clint On Wed, Oct 15, 2014 at 9:51 PM, Rich Megginson rmegg...@redhat.com wrote: On 10/15/2014 05:29 PM, Clint Savage wrote: On Wed, Oct 15, 2014 at 5:04 PM, Rich Megginson rmegg...@redhat.com wrote: On 10/15/2014 04:43 PM, Clint Savage wrote: On Wed, Oct 15, 2014 at 2:33 PM, Rich Megginson rmegg...@redhat.com wrote: On 10/15/2014 02:05 PM, Rob Crittenden wrote: Clint Savage wrote: $ rpm -q ipa-server ipa-server-3.3.3-28.el7.centos.1.x86_64 I was thinking that this might be an issue with the rhel7 version. I'm going to be trying the same migration tonight on rhel6. I know the IPA version is older, and samba stuff might not work as it does in 3.3. I haven't looked in RHEL 6.6 yet to see what version of IPA is available. I tested using a fairly recent IPA master build (4.1+). I'm not convinced it is related to any specific version, but different features are available so I thought I'd try to duplicate on a more similar footing (apples to apples comparision). The trick is to try to narrow down what attribute the LDAP server thinks already exists. We don't get a very nice error out of LDAP, like *what* attribute already exists, for example :-( It may be possible to set the 389-ds debug level to such that you get some decent output, but trying to find the right balance of output can be challenging. See their FAQ troubleshooting section. http://www.port389.org/docs/389ds/FAQ/faq.html#troubleshooting Try the ARGS (Heavy trace output debugging) level rob Clint On Wed, Oct 15, 2014 at 1:16 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Ludwig Krispenz wrote: On 10/14/2014 06:58 PM, Clint Savage wrote: Hi all, I've been working on a migration plan using three custom user objectClasses and one group objectclass. In my attempt, I've setup an openldap server with the proper schemas, imported the ldif and have records that look something like this in ldif format. --- dn: dc=example,dc=com objectClass: top objectClass: domain dc: example dn: ou=Groups,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Groups dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: People dn: uid=amyengh,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: organizationalPerson objectClass: person objectClass: radiusProfile objectClass: sambaSamAccount objectClass: customPersonAttributes cn: Amy Engh gidNumber: 1141801056 homeDirectory: /home/amyengh sn: Engh uid: amyengh uidNumber: 1141801056 displayName: Amy Engh givenName: Amy loginShell: /sbin/nologin mail: amye...@attask.com mailto:amye...@attask.com mailto:amye...@attask.com mailto:amye...@attask.com userPassword:: REDACTED dialupAccess: yes radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1421 radiusTunnelType: VLAN emailPassword:: REDACTED sambaAcctFlags: [U ] sambaLMPassword: REDACTED sambaNTPassword: REDACTED sambaPasswordHistory: 00 00 sambaPwdLastSet: 1402698001 sambaSID: S-1-5-21-2332447373-4108748234-3602490535-3146 dn: cn=amyengh,ou=Groups,dc=example,dc=com objectClass: top objectClass: posixGroup cn: amyengh gidNumber: 1141801056 memberUid: amyengh I then run the migration (with or without compat makes no difference) and get the following: ipa migrate-ds --with-compat --user-container=ou=People --group-container=ou=Groups --user-objectclass=posixAccount --group-objectclass=posixgroup ldap://192.168.122.210 http://192.168.122.210 http://192.168.122.210 --bind-dn=cn=Manager,dc=example,dc=com Password: --- migrate-ds: --- Migrated: Failed user: amyengh: Type or value exists: Failed group: amyengh: This entry already exists. type or value exists and This entry already exists are just explanations of the ldap return code, do you see anything in the 389 ds error logs ? I doubt that he would see any errors. The entry already existing is because this isn't his first migration, it is unrelated