Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
On Tue, 29 Mar 2016, lejeczek wrote: last - this must most FAQ people wonder - can IPA's 389 backend be used in the same/similar fashion samba uses ldap? skipping all the kerberos bits? (samba & IPA on the same one box) For Samba and IPA on the same box, this is configured properly with ipa-adtrust-install. when I started I thought to make this samba<=>ipa chatter more constructive I should do ... so I wound up with samba(@openldap) having/using the same DN as IPA has in 389. Will it work to do ipa-addtrust-install on that one box with samba+ipa ? Can you please re-phrase your question? What "it"? What "would work"? I've said several times that on IPA master all you need to run is ipa-adtrust-install and then user 'net conf addshare/delshare/setparm' to configure specific shares, and use POSIX ACLs in your file system to define access rules. See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html for a demo -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
On 15/03/16 14:36, Alexander Bokovoy wrote: On Tue, 15 Mar 2016, lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. Lastly, is there a way to preserve account locked/disabled status for posix/samba? I don't know how it is stored but as long as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob last - this must most FAQ people wonder - can IPA's 389 backend be used in the same/similar fashion samba uses ldap? skipping all the kerberos bits? (samba & IPA on the same one box) For Samba and IPA on the same box, this is configured properly with ipa-adtrust-install. when I started I thought to make this samba<=>ipa chatter more constructive I should do ... so I wound up with samba(@openldap) having/using the same DN as IPA has in 389. Will it work to do ipa-addtrust-install on that one box with samba+ipa ? many thanks L. It uses ipasam PASSDB module instead of ldapsam. This module knows IPA LDAP schema and is capable to do more than ldapsam, but effectively you can use resulting Samba setup in the same way as you do with ldapsam. The configuration is: 1. Install ipa-server-trust-ad (freeipa-server-trust-ad on Fedora) 2. Run ipa-adtrust-install to configure both IPA and Samba. 3. Use 'net conf' tool to manage shares. 4. Use POSIX ACLs to set up access rights on the file system. See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html for inspiration. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
On 15/03/16 17:22, Rob Crittenden wrote: lejeczek wrote: On 15/03/16 14:14, lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. Lastly, is there a way to preserve account locked/disabled status for posix/samba? I don't know how it is stored but as lon g as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob last - this must most FAQ people wonder - can IPA's 389 backend be used in the same/similar fashion samba uses ldap? skipping all the kerberos bits? (samba & IPA on the same one box) this might be more 389-ds related - in old days I remember DS had mozldap dedicated toolset, how is it these days? How do users deal with 389-ds IPA-related bits? many thanks now when I've groups migrated I see mappings user-group are lost. Would it be because my groups did not go in first time together with users? Need more info. What do you mean by mappings are lost? yes, sorry, supplementary groups, these are there but I don't see id command confirms user is a member. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
Janelle wrote: The groups don't go on the 2nd pass because they already went on the first meant. I meant to reply to this the other day as I have had a lot of experience with re-running migration. Group membership for an already existing group, does NOT come over on the 2nd pass. I have found it is better to start fresh if you want a clean migration. Or, better yet, gather the group memberships via LDAP and migrate them by hand with a friendly script. I through one together to do that pretty easily. Right, if a group already exists it is assumed to have either been migrated successfully or was a pre-existing group, in either case no further action is taken. rob ~J On 3/15/16 10:22 AM, Rob Crittenden wrote: lejeczek wrote: On 15/03/16 14:14, lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. Lastly, is there a way to preserve account locked/disabled status for posix/samba? I don't know how it is stored but as lon g as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob last - this must most FAQ people wonder - can IPA's 389 backend be used in the same/similar fashion samba uses ldap? skipping all the kerberos bits? (samba & IPA on the same one box) this might be more 389-ds related - in old days I remember DS had mozldap dedicated toolset, how is it these days? How do users deal with 389-ds IPA-related bits? many thanks now when I've groups migrated I see mappings user-group are lost. Would it be because my groups did not go in first time together with users? Need more info. What do you mean by mappings are lost? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
The groups don't go on the 2nd pass because they already went on the first meant. I meant to reply to this the other day as I have had a lot of experience with re-running migration. Group membership for an already existing group, does NOT come over on the 2nd pass. I have found it is better to start fresh if you want a clean migration. Or, better yet, gather the group memberships via LDAP and migrate them by hand with a friendly script. I through one together to do that pretty easily. ~J On 3/15/16 10:22 AM, Rob Crittenden wrote: lejeczek wrote: On 15/03/16 14:14, lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. Lastly, is there a way to preserve account locked/disabled status for posix/samba? I don't know how it is stored but as lon g as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob last - this must most FAQ people wonder - can IPA's 389 backend be used in the same/similar fashion samba uses ldap? skipping all the kerberos bits? (samba & IPA on the same one box) this might be more 389-ds related - in old days I remember DS had mozldap dedicated toolset, how is it these days? How do users deal with 389-ds IPA-related bits? many thanks now when I've groups migrated I see mappings user-group are lost. Would it be because my groups did not go in first time together with users? Need more info. What do you mean by mappings are lost? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
lejeczek wrote: On 15/03/16 15:57, Rob Crittenden wrote: lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. Lastly, is there a way to preserve account locked/disabled status for posix/samba? I don't know how it is stored but as long as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob I don't think it works, I guess it matters how ipa tools map these attributes, I'm particularly looking at: ipa user-show ... Account disabled: False sambaAcctFlags gets migrated over, but shadow locked users I wonder how this works. If I had posix !passwd in my ldap userdb then it's not reflected in IPA, unless "Account disabled" is for something else. IPA/389-ds uses nsAccountLock to lock accounts. and in my case it could not work for I had (anybody sane would too) hashed pass in ldap userdb, am I right? What won't work? Migrated user passwords will work just fine. If one has hundreds of user s/he thinks, o! it'd be great to keep that account enabled/disabled status - would there be a way around it? IPA isn't designed to be an LDAP backend for Samba so there isn't a lot of direct integration with the schema. You could write a plugin to keep the two attributes in sync. For those already migrated it should be pretty easy to write an LDAP search to find them and then for each user call ipa user-disable rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
On 15/03/16 15:57, Rob Crittenden wrote: lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. Lastly, is there a way to preserve account locked/disabled status for posix/samba? I don't know how it is stored but as long as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob I don't think it works, I guess it matters how ipa tools map these attributes, I'm particularly looking at: ipa user-show ... Account disabled: False sambaAcctFlags gets migrated over, but shadow locked users I wonder how this works. If I had posix !passwd in my ldap userdb then it's not reflected in IPA, unless "Account disabled" is for something else. IPA/389-ds uses nsAccountLock to lock accounts. and in my case it could not work for I had (anybody sane would too) hashed pass in ldap userdb, am I right? If one has hundreds of user s/he thinks, o! it'd be great to keep that account enabled/disabled status - would there be a way around it? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. Lastly, is there a way to preserve account locked/disabled status for posix/samba? I don't know how it is stored but as long as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob I don't think it works, I guess it matters how ipa tools map these attributes, I'm particularly looking at: ipa user-show ... Account disabled: False sambaAcctFlags gets migrated over, but shadow locked users I wonder how this works. If I had posix !passwd in my ldap userdb then it's not reflected in IPA, unless "Account disabled" is for something else. IPA/389-ds uses nsAccountLock to lock accounts. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. Lastly, is there a way to preserve account locked/disabled status for posix/samba? I don't know how it is stored but as long as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob I don't think it works, I guess it matters how ipa tools map these attributes, I'm particularly looking at: ipa user-show ... Account disabled: False sambaAcctFlags gets migrated over, but shadow locked users I wonder how this works. If I had posix !passwd in my ldap userdb then it's not reflected in IPA, unless "Account disabled" is for something else. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
On Tue, 15 Mar 2016, lejeczek wrote: On 15/03/16 13:42, Rob Crittenden wrote: lejeczek wrote: On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. Lastly, is there a way to preserve account locked/disabled status for posix/samba? I don't know how it is stored but as long as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob last - this must most FAQ people wonder - can IPA's 389 backend be used in the same/similar fashion samba uses ldap? skipping all the kerberos bits? (samba & IPA on the same one box) For Samba and IPA on the same box, this is configured properly with ipa-adtrust-install. It uses ipasam PASSDB module instead of ldapsam. This module knows IPA LDAP schema and is capable to do more than ldapsam, but effectively you can use resulting Samba setup in the same way as you do with ldapsam. The configuration is: 1. Install ipa-server-trust-ad (freeipa-server-trust-ad on Fedora) 2. Run ipa-adtrust-install to configure both IPA and Samba. 3. Use 'net conf' tool to manage shares. 4. Use POSIX ACLs to set up access rights on the file system. See https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html for inspiration. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
lejeczek wrote: > On 14/03/16 17:06, Rob Crittenden wrote: >> lejeczek wrote: >>> with... >>> >>> ipa: ERROR: group LDAP search did not return any result (search base: >>> ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, >>> groupofnames) >>> >>> I see users went in but later I realized that current samba's ou was >>> "group" not groups. >>> Can I just re-run migrations? >> Yes. It will skip over anything that already exists in IPA. > thanks Rob, may I ask why process by defaults looks up only objectclass: > groupofuniquenames, groupofnames? It is conservative but this is why it can be overridden. > Is there a reason it skips ldap+samba typical posixGroup & > sambaGroupMapping? We haven't had many (any?) reports of migrating from ldap+samba. > Lastly, is there a way to preserve account locked/disabled status for > posix/samba? I don't know how it is stored but as long as the schema is available in IPA then the values should be preserved on migration unless the attributes are associated with a blacklisted objectclass. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
On 14/03/16 17:06, Rob Crittenden wrote: lejeczek wrote: with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. thanks Rob, may I ask why process by defaults looks up only objectclass: groupofuniquenames, groupofnames? Is there a reason it skips ldap+samba typical posixGroup & sambaGroupMapping? Lastly, is there a way to preserve account locked/disabled status for posix/samba? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] can migrate-ds be safely re-run if it failed...
lejeczek wrote: > with... > > ipa: ERROR: group LDAP search did not return any result (search base: > ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, > groupofnames) > > I see users went in but later I realized that current samba's ou was > "group" not groups. > Can I just re-run migrations? Yes. It will skip over anything that already exists in IPA. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] can migrate-ds be safely re-run if it failed...
with... ipa: ERROR: group LDAP search did not return any result (search base: ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames, groupofnames) I see users went in but later I realized that current samba's ou was "group" not groups. Can I just re-run migrations? many thanks L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
