[Freeipa-users] Re: Changing domain name

2018-08-19 Thread Alfredo De Luca via FreeIPA-users 
Thanks heaps Angus.  appreciated

/Alfredo

On Fri, 17 Aug 2018, 10:40 Angus Clarke, 
wrote:

> You might find some useful tips here:
>
> https://www.redhat.com/archives/freeipa-users/2014-May/msg00158.html
>
> Not sure if they did drop their other scripts into github (as suggested
> two thirds down)
>
> Regards
> Angus
>
>
> On 17 August 2018 at 10:09, Alfredo De Luca via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hi Rob. It worked. Thanks.
>> It was confusing for me the name *migrated *thinking was the new host
>> rather than the *"old"* .
>> Now users/groups are there and whoever has the password needs to connect
>> to the new server in order to recreate their password with kerberos. I
>> guess who has the ssh keys don't need to to that...right?
>>
>> Now I need to migrate manually the hbac,sudo etc
>>
>> Thanks
>>
>>
>> On Thu, Aug 16, 2018 at 4:00 PM Alfredo De Luca 
>> wrote:
>>
>>> Thanks Rob. I ll give a try.
>>> CHeers
>>>
>>> On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden 
>>> wrote:
>>>
 Alfredo De Luca via FreeIPA-users wrote:
 > Hi Florence.
 > But the example says  ldap://*migrated*.freeipa.server.test
 >
 > so I ran the command from the actual server where I want migrate the
 > users from and pointing to the migrated (so the new which I will
 migrate
 > to) server...
 > So is it wrong?
 > So should I run the command instead fron the new ipa server pointing
 to
 > the old server?

 The old server. You have been trying to migrate the server to itself.

 rob

 >
 >
 >
 > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud >>> > > wrote:
 >
 > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
 > > The IP is the new server where I'd like to migrate all the
 > user/groups
 > > to and it  should be ok.
 > > The migrate-ds is the default I copy from the freeipa.org
 > 
 > >  migration section..
 > >
 > Hi,
 >
 > the ldap URI should point to the server where the users are
 currently
 > defined (=the FROM server).
 >
 > Hope this clarifies,
 > flo
 > >
 > >
 > >
 > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
 > mailto:rcrit...@redhat.com>
 > > >>
 wrote:
 > >
 > > Alfredo De Luca via FreeIPA-users wrote:
 > >  > Hi Rob.
 > >  > Yes. I am following the link you sent. So now I can
 understand
 > > they need
 > >  > to create the new Kerberos but given the command I
 should have
 > > seen all
 > >  > the users in the new freeipa server... which are not
 there.
 > >  > Maybe I put a wrong command? (below)
 > >  >
 > >  > ipa migrate-ds --bind-dn="cn=Directory Manager"
 > >  > --user-container=cn=users,cn=accounts
 --group-overwrite-gid
 > >  > --group-container=cn=groups,cn=accounts
 > > --group-objectclass=posixgroup
 > >  >
 > >
 >
   
 --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
 > >  > --user-ignore-objectclass=mepOriginEntry --with-compat
 > >  > ldap://192.168.20.177:389 
 > 
 > > 
 > >  >
 > >  > Password:
 > >  > ---
 > >  > migrate-ds:
 > >  > ---
 > >  > Migrated:
 > >  >   group: admins, editors
 > >  > Failed user:
 > >  >   admin: This entry already exists
 > >  > Failed group:
 > >  > --
 > >  > Passwords have been migrated in pre-hashed format.
 > >  > IPA is unable to generate Kerberos keys unless provided
 > >  > with clear text passwords. All migrated users need to
 > >  > login at https://your.domain/ipa/migration/ before they
 > >  > can use their Kerberos accounts.
 > >
 > > It isn't finding any of your users. Are you sure that IP
 > address points
 > > to your existing IPA instance?
 > >
 > > rob
 > >
 > >
 > >
 > > --
 > > /Alfredo/
 > >
 > >
 > >
 > > ___
 > > FreeIPA-users mailing list --
 freeipa-users@lists.fedorahosted.org
 >

[Freeipa-users] Re: Changing domain name

2018-08-17 Thread Angus Clarke via FreeIPA-users 
You might find some useful tips here:

https://www.redhat.com/archives/freeipa-users/2014-May/msg00158.html

Not sure if they did drop their other scripts into github (as suggested two
thirds down)

Regards
Angus


On 17 August 2018 at 10:09, Alfredo De Luca via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi Rob. It worked. Thanks.
> It was confusing for me the name *migrated *thinking was the new host
> rather than the *"old"* .
> Now users/groups are there and whoever has the password needs to connect
> to the new server in order to recreate their password with kerberos. I
> guess who has the ssh keys don't need to to that...right?
>
> Now I need to migrate manually the hbac,sudo etc
>
> Thanks
>
>
> On Thu, Aug 16, 2018 at 4:00 PM Alfredo De Luca 
> wrote:
>
>> Thanks Rob. I ll give a try.
>> CHeers
>>
>> On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden 
>> wrote:
>>
>>> Alfredo De Luca via FreeIPA-users wrote:
>>> > Hi Florence.
>>> > But the example says  ldap://*migrated*.freeipa.server.test
>>> >
>>> > so I ran the command from the actual server where I want migrate the
>>> > users from and pointing to the migrated (so the new which I will
>>> migrate
>>> > to) server...
>>> > So is it wrong?
>>> > So should I run the command instead fron the new ipa server pointing to
>>> > the old server?
>>>
>>> The old server. You have been trying to migrate the server to itself.
>>>
>>> rob
>>>
>>> >
>>> >
>>> >
>>> > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud >> > > wrote:
>>> >
>>> > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
>>> > > The IP is the new server where I'd like to migrate all the
>>> > user/groups
>>> > > to and it  should be ok.
>>> > > The migrate-ds is the default I copy from the freeipa.org
>>> > 
>>> > >  migration section..
>>> > >
>>> > Hi,
>>> >
>>> > the ldap URI should point to the server where the users are
>>> currently
>>> > defined (=the FROM server).
>>> >
>>> > Hope this clarifies,
>>> > flo
>>> > >
>>> > >
>>> > >
>>> > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
>>> > mailto:rcrit...@redhat.com>
>>> > > >>
>>> wrote:
>>> > >
>>> > > Alfredo De Luca via FreeIPA-users wrote:
>>> > >  > Hi Rob.
>>> > >  > Yes. I am following the link you sent. So now I can
>>> understand
>>> > > they need
>>> > >  > to create the new Kerberos but given the command I should
>>> have
>>> > > seen all
>>> > >  > the users in the new freeipa server... which are not
>>> there.
>>> > >  > Maybe I put a wrong command? (below)
>>> > >  >
>>> > >  > ipa migrate-ds --bind-dn="cn=Directory Manager"
>>> > >  > --user-container=cn=users,cn=accounts
>>> --group-overwrite-gid
>>> > >  > --group-container=cn=groups,cn=accounts
>>> > > --group-objectclass=posixgroup
>>> > >  >
>>> > >
>>> >  --user-ignore-attribute={krbPrincipalName,krbextradata,
>>> krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,
>>> krbloginfailedcount,krbpasswordexpiration,krbticketflags,
>>> krbpwdpolicyreference,mepManagedEntry}
>>> > >  > --user-ignore-objectclass=mepOriginEntry --with-compat
>>> > >  > ldap://192.168.20.177:389 
>>> > 
>>> > > 
>>> > >  >
>>> > >  > Password:
>>> > >  > ---
>>> > >  > migrate-ds:
>>> > >  > ---
>>> > >  > Migrated:
>>> > >  >   group: admins, editors
>>> > >  > Failed user:
>>> > >  >   admin: This entry already exists
>>> > >  > Failed group:
>>> > >  > --
>>> > >  > Passwords have been migrated in pre-hashed format.
>>> > >  > IPA is unable to generate Kerberos keys unless provided
>>> > >  > with clear text passwords. All migrated users need to
>>> > >  > login at https://your.domain/ipa/migration/ before they
>>> > >  > can use their Kerberos accounts.
>>> > >
>>> > > It isn't finding any of your users. Are you sure that IP
>>> > address points
>>> > > to your existing IPA instance?
>>> > >
>>> > > rob
>>> > >
>>> > >
>>> > >
>>> > > --
>>> > > /Alfredo/
>>> > >
>>> > >
>>> > >
>>> > > ___
>>> > > FreeIPA-users mailing list -- freeipa-users@lists.
>>> fedorahosted.org
>>> > 
>>> > > To unsubscribe send an email to
>>> > freeipa-users-le...@lists.fedorahosted.org
>>> > 
>>> > > Fedora Code of Conduct: https://getfedora.org/code-of-
>>>

[Freeipa-users] Re: Changing domain name

2018-08-17 Thread Alfredo De Luca via FreeIPA-users 
Hi Rob. It worked. Thanks.
It was confusing for me the name *migrated *thinking was the new host
rather than the *"old"* .
Now users/groups are there and whoever has the password needs to connect to
the new server in order to recreate their password with kerberos. I guess
who has the ssh keys don't need to to that...right?

Now I need to migrate manually the hbac,sudo etc

Thanks


On Thu, Aug 16, 2018 at 4:00 PM Alfredo De Luca 
wrote:

> Thanks Rob. I ll give a try.
> CHeers
>
> On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden 
> wrote:
>
>> Alfredo De Luca via FreeIPA-users wrote:
>> > Hi Florence.
>> > But the example says  ldap://*migrated*.freeipa.server.test
>> >
>> > so I ran the command from the actual server where I want migrate the
>> > users from and pointing to the migrated (so the new which I will migrate
>> > to) server...
>> > So is it wrong?
>> > So should I run the command instead fron the new ipa server pointing to
>> > the old server?
>>
>> The old server. You have been trying to migrate the server to itself.
>>
>> rob
>>
>> >
>> >
>> >
>> > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud > > > wrote:
>> >
>> > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
>> > > The IP is the new server where I'd like to migrate all the
>> > user/groups
>> > > to and it  should be ok.
>> > > The migrate-ds is the default I copy from the freeipa.org
>> > 
>> > >  migration section..
>> > >
>> > Hi,
>> >
>> > the ldap URI should point to the server where the users are
>> currently
>> > defined (=the FROM server).
>> >
>> > Hope this clarifies,
>> > flo
>> > >
>> > >
>> > >
>> > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
>> > mailto:rcrit...@redhat.com>
>> > > >> wrote:
>> > >
>> > > Alfredo De Luca via FreeIPA-users wrote:
>> > >  > Hi Rob.
>> > >  > Yes. I am following the link you sent. So now I can
>> understand
>> > > they need
>> > >  > to create the new Kerberos but given the command I should
>> have
>> > > seen all
>> > >  > the users in the new freeipa server... which are not there.
>> > >  > Maybe I put a wrong command? (below)
>> > >  >
>> > >  > ipa migrate-ds --bind-dn="cn=Directory Manager"
>> > >  > --user-container=cn=users,cn=accounts --group-overwrite-gid
>> > >  > --group-container=cn=groups,cn=accounts
>> > > --group-objectclass=posixgroup
>> > >  >
>> > >
>> >
>>   
>> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
>> > >  > --user-ignore-objectclass=mepOriginEntry --with-compat
>> > >  > ldap://192.168.20.177:389 
>> > 
>> > > 
>> > >  >
>> > >  > Password:
>> > >  > ---
>> > >  > migrate-ds:
>> > >  > ---
>> > >  > Migrated:
>> > >  >   group: admins, editors
>> > >  > Failed user:
>> > >  >   admin: This entry already exists
>> > >  > Failed group:
>> > >  > --
>> > >  > Passwords have been migrated in pre-hashed format.
>> > >  > IPA is unable to generate Kerberos keys unless provided
>> > >  > with clear text passwords. All migrated users need to
>> > >  > login at https://your.domain/ipa/migration/ before they
>> > >  > can use their Kerberos accounts.
>> > >
>> > > It isn't finding any of your users. Are you sure that IP
>> > address points
>> > > to your existing IPA instance?
>> > >
>> > > rob
>> > >
>> > >
>> > >
>> > > --
>> > > /Alfredo/
>> > >
>> > >
>> > >
>> > > ___
>> > > FreeIPA-users mailing list --
>> freeipa-users@lists.fedorahosted.org
>> > 
>> > > To unsubscribe send an email to
>> > freeipa-users-le...@lists.fedorahosted.org
>> > 
>> > > Fedora Code of Conduct:
>> https://getfedora.org/code-of-conduct.html
>> > > List Guidelines:
>> > https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > > List Archives:
>> >
>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N3LK45PLAZOV3SA2TRNI6SYQKTNQQPF3/
>> > >
>> >
>> >
>> >
>> > --
>> > /Alfredo/
>> >
>> >
>> >
>> > ___
>> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> > To unsubscribe send an email to

[Freeipa-users] Re: Changing domain name

2018-08-16 Thread Alfredo De Luca via FreeIPA-users 
Thanks Rob. I ll give a try.
CHeers

On Thu, Aug 16, 2018 at 2:31 PM Rob Crittenden  wrote:

> Alfredo De Luca via FreeIPA-users wrote:
> > Hi Florence.
> > But the example says  ldap://*migrated*.freeipa.server.test
> >
> > so I ran the command from the actual server where I want migrate the
> > users from and pointing to the migrated (so the new which I will migrate
> > to) server...
> > So is it wrong?
> > So should I run the command instead fron the new ipa server pointing to
> > the old server?
>
> The old server. You have been trying to migrate the server to itself.
>
> rob
>
> >
> >
> >
> > On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud  > > wrote:
> >
> > On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
> > > The IP is the new server where I'd like to migrate all the
> > user/groups
> > > to and it  should be ok.
> > > The migrate-ds is the default I copy from the freeipa.org
> > 
> > >  migration section..
> > >
> > Hi,
> >
> > the ldap URI should point to the server where the users are currently
> > defined (=the FROM server).
> >
> > Hope this clarifies,
> > flo
> > >
> > >
> > >
> > > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
> > mailto:rcrit...@redhat.com>
> > > >> wrote:
> > >
> > > Alfredo De Luca via FreeIPA-users wrote:
> > >  > Hi Rob.
> > >  > Yes. I am following the link you sent. So now I can
> understand
> > > they need
> > >  > to create the new Kerberos but given the command I should
> have
> > > seen all
> > >  > the users in the new freeipa server... which are not there.
> > >  > Maybe I put a wrong command? (below)
> > >  >
> > >  > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > >  > --user-container=cn=users,cn=accounts --group-overwrite-gid
> > >  > --group-container=cn=groups,cn=accounts
> > > --group-objectclass=posixgroup
> > >  >
> > >
> >
>   
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > >  > --user-ignore-objectclass=mepOriginEntry --with-compat
> > >  > ldap://192.168.20.177:389 
> > 
> > > 
> > >  >
> > >  > Password:
> > >  > ---
> > >  > migrate-ds:
> > >  > ---
> > >  > Migrated:
> > >  >   group: admins, editors
> > >  > Failed user:
> > >  >   admin: This entry already exists
> > >  > Failed group:
> > >  > --
> > >  > Passwords have been migrated in pre-hashed format.
> > >  > IPA is unable to generate Kerberos keys unless provided
> > >  > with clear text passwords. All migrated users need to
> > >  > login at https://your.domain/ipa/migration/ before they
> > >  > can use their Kerberos accounts.
> > >
> > > It isn't finding any of your users. Are you sure that IP
> > address points
> > > to your existing IPA instance?
> > >
> > > rob
> > >
> > >
> > >
> > > --
> > > /Alfredo/
> > >
> > >
> > >
> > > ___
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > 
> > > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
> > 
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N3LK45PLAZOV3SA2TRNI6SYQKTNQQPF3/
> > >
> >
> >
> >
> > --
> > /Alfredo/
> >
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VPSB6HPG4J3ZGJHOPA3IQTRJ56GGS4ZR/
> >
>
>

-- 
*Alfredo*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:

[Freeipa-users] Re: Changing domain name

2018-08-16 Thread Rob Crittenden via FreeIPA-users 
Alfredo De Luca via FreeIPA-users wrote:
> Hi Florence. 
> But the example says  ldap://*migrated*.freeipa.server.test
> 
> so I ran the command from the actual server where I want migrate the
> users from and pointing to the migrated (so the new which I will migrate
> to) server...
> So is it wrong? 
> So should I run the command instead fron the new ipa server pointing to
> the old server?

The old server. You have been trying to migrate the server to itself.

rob

> 
> 
> 
> On Thu, Aug 16, 2018 at 1:02 PM Florence Blanc-Renaud  > wrote:
> 
> On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
> > The IP is the new server where I'd like to migrate all the
> user/groups
> > to and it  should be ok.
> > The migrate-ds is the default I copy from the freeipa.org
> 
> >  migration section..
> >
> Hi,
> 
> the ldap URI should point to the server where the users are currently
> defined (=the FROM server).
> 
> Hope this clarifies,
> flo
> >
> >
> >
> > On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden
> mailto:rcrit...@redhat.com>
> > >> wrote:
> >
> >     Alfredo De Luca via FreeIPA-users wrote:
> >      > Hi Rob.
> >      > Yes. I am following the link you sent. So now I can understand
> >     they need
> >      > to create the new Kerberos but given the command I should have
> >     seen all
> >      > the users in the new freeipa server... which are not there.
> >      > Maybe I put a wrong command? (below)
> >      >
> >      > ipa migrate-ds --bind-dn="cn=Directory Manager"
> >      > --user-container=cn=users,cn=accounts --group-overwrite-gid
> >      > --group-container=cn=groups,cn=accounts
> >     --group-objectclass=posixgroup
> >      >
> >   
>  
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> >      > --user-ignore-objectclass=mepOriginEntry --with-compat
> >      > ldap://192.168.20.177:389 
> 
> >     
> >      >
> >      > Password:
> >      > ---
> >      > migrate-ds:
> >      > ---
> >      > Migrated:
> >      >   group: admins, editors
> >      > Failed user:
> >      >   admin: This entry already exists
> >      > Failed group:
> >      > --
> >      > Passwords have been migrated in pre-hashed format.
> >      > IPA is unable to generate Kerberos keys unless provided
> >      > with clear text passwords. All migrated users need to
> >      > login at https://your.domain/ipa/migration/ before they
> >      > can use their Kerberos accounts.
> >
> >     It isn't finding any of your users. Are you sure that IP
> address points
> >     to your existing IPA instance?
> >
> >     rob
> >
> >
> >
> > --
> > /Alfredo/
> >
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> 
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> 
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N3LK45PLAZOV3SA2TRNI6SYQKTNQQPF3/
> >
> 
> 
> 
> -- 
> /Alfredo/
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/VPSB6HPG4J3ZGJHOPA3IQTRJ56GGS4ZR/
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/I6PRD4VPDWDW3Q6GT2W4MTU6NQ2SCZAQ/

[Freeipa-users] Re: Changing domain name

2018-08-16 Thread Florence Blanc-Renaud via FreeIPA-users 

On 08/16/2018 12:37 PM, Alfredo De Luca via FreeIPA-users wrote:
The IP is the new server where I'd like to migrate all the user/groups 
to and it  should be ok.
The migrate-ds is the default I copy from the freeipa.org 
 migration section..



Hi,

the ldap URI should point to the server where the users are currently 
defined (=the FROM server).


Hope this clarifies,
flo




On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden > wrote:


Alfredo De Luca via FreeIPA-users wrote:
 > Hi Rob.
 > Yes. I am following the link you sent. So now I can understand
they need
 > to create the new Kerberos but given the command I should have
seen all
 > the users in the new freeipa server... which are not there.
 > Maybe I put a wrong command? (below)
 >
 > ipa migrate-ds --bind-dn="cn=Directory Manager"
 > --user-container=cn=users,cn=accounts --group-overwrite-gid
 > --group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup
 >

--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
 > --user-ignore-objectclass=mepOriginEntry --with-compat
 > ldap://192.168.20.177:389 

 >
 > Password:
 > ---
 > migrate-ds:
 > ---
 > Migrated:
 >   group: admins, editors
 > Failed user:
 >   admin: This entry already exists
 > Failed group:
 > --
 > Passwords have been migrated in pre-hashed format.
 > IPA is unable to generate Kerberos keys unless provided
 > with clear text passwords. All migrated users need to
 > login at https://your.domain/ipa/migration/ before they
 > can use their Kerberos accounts.

It isn't finding any of your users. Are you sure that IP address points
to your existing IPA instance?

rob



--
/Alfredo/



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N3LK45PLAZOV3SA2TRNI6SYQKTNQQPF3/


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/4GXHGVMX72RLILJHA6CUAK242ACOYBMN/

[Freeipa-users] Re: Changing domain name

2018-08-16 Thread Alfredo De Luca via FreeIPA-users 
The IP is the new server where I'd like to migrate all the user/groups to
and it  should be ok.
The migrate-ds is the default I copy from the freeipa.org migration
section..




On Tue, Aug 14, 2018 at 7:00 PM Rob Crittenden  wrote:

> Alfredo De Luca via FreeIPA-users wrote:
> > Hi Rob.
> > Yes. I am following the link you sent. So now I can understand they need
> > to create the new Kerberos but given the command I should have seen all
> > the users in the new freeipa server... which are not there.
> > Maybe I put a wrong command? (below)
> >
> > ipa migrate-ds --bind-dn="cn=Directory Manager"
> > --user-container=cn=users,cn=accounts --group-overwrite-gid
> > --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> >
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> > --user-ignore-objectclass=mepOriginEntry --with-compat
> > ldap://192.168.20.177:389 
> >
> > Password:
> > ---
> > migrate-ds:
> > ---
> > Migrated:
> >   group: admins, editors
> > Failed user:
> >   admin: This entry already exists
> > Failed group:
> > --
> > Passwords have been migrated in pre-hashed format.
> > IPA is unable to generate Kerberos keys unless provided
> > with clear text passwords. All migrated users need to
> > login at https://your.domain/ipa/migration/ before they
> > can use their Kerberos accounts.
>
> It isn't finding any of your users. Are you sure that IP address points
> to your existing IPA instance?
>
> rob
>


-- 
*Alfredo*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/N3LK45PLAZOV3SA2TRNI6SYQKTNQQPF3/

[Freeipa-users] Re: Changing domain name

2018-08-14 Thread Rob Crittenden via FreeIPA-users 
Alfredo De Luca via FreeIPA-users wrote:
> Hi Rob. 
> Yes. I am following the link you sent. So now I can understand they need
> to create the new Kerberos but given the command I should have seen all
> the users in the new freeipa server... which are not there. 
> Maybe I put a wrong command? (below)
> 
> ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts --group-overwrite-gid
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://192.168.20.177:389 
> 
> Password:
> ---
> migrate-ds:
> ---
> Migrated:
>   group: admins, editors
> Failed user:
>   admin: This entry already exists
> Failed group:
> --
> Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.

It isn't finding any of your users. Are you sure that IP address points
to your existing IPA instance?

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/57LEZBOJFBXNAZLE5NGLJKJ7YWALICZT/

[Freeipa-users] Re: Changing domain name

2018-08-14 Thread Rob Crittenden via FreeIPA-users 
Alfredo De Luca via FreeIPA-users wrote:
> Hi Florence. Thanks again. I understand about the password hash... but
> does it mean all the users need to do that before migration? or after? 
> 
> Cause in the new ipa server can 't see any of the users/groups. 

Then I assume the migration failed?

I believe there is a chapter in the RHEL docs on migration and it is
also mentioned at https://www.freeipa.org/page/Howto/Migration

Users will need to re-authenticate themselves post-migration in order to
set their Kerberos credentials.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EVHJCOOEE7RTQUJTJIPIHQCQA2UL5KJV/

[Freeipa-users] Re: Changing domain name

2018-08-13 Thread Alfredo De Luca via FreeIPA-users 
Hi Florence.
I created an new IPA server and tried to migrate but I got the following ...

*Passwords have been migrated in pre-hashed format.*
*IPA is unable to generate Kerberos keys unless provided*
*with clear text passwords. All migrated users need to*
*login at https://your.domain/ipa/migration/
 before they*
*can use their Kerberos accounts.*

Alfredo


On Mon, Aug 13, 2018 at 2:04 PM Alfredo De Luca 
wrote:

> Thanks heaps Florence. Appreciated
>
> Alfredo
>
>
> On Mon, Aug 13, 2018 at 11:42 AM Florence Blanc-Renaud 
> wrote:
>
>> On 08/13/2018 11:17 AM, Alfredo De Luca via FreeIPA-users wrote:
>> > Hi Florence. yes this clarify my question. So or I will build an new
>> > FreeIPA then manually add all the users/groups etc ... or maybe import
>> > at least some users with some sort of ldap command?
>> >
>> Hi,
>>
>> FreeIPA provides a tool to migrate users/groups: ipa migrate-ds, see [1]
>>
>> Note that other objects need to be migrated manually (sudo, hbac, ...).
>> The procedure involves retrieving the objects with ldapsearch into a
>> ldif file, editing the ldif to replace the basedn, and importing to the
>> new server.
>>
>> There are a few knowledge base articles related to this topic, for
>> instance Migrating Your IDM Environment To a New Environment in RHEL 7
>> [2]. You may also find additional information in the users mailing list.
>>
>> HTH,
>> flo
>>
>> [1]
>>
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating_from_a_directory_server_to_ipa
>> [2] https://access.redhat.com/articles/2949931
>>
>> > Cheers
>> >
>> >
>> > On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud > > > wrote:
>> >
>> > On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote:
>> >  > Hi all.
>> >  > We'd like to change the domain name on our freeipa (4.5.4 on
>> centos
>> >  > 7.5). Not the realm but only the domain
>> >  > is it doable?
>> >  > If so... how?
>> >  >
>> > Hi,
>> >
>> > unfortunately, no. Please have a look at IdM documentation, section
>> > Host
>> > Name and DNS Configuration [1]. It contains a big warning:
>> > Note that the primary DNS domain and Kerberos realm cannot be
>> changed
>> > after the installation.
>> >
>> > Hope this clarifies,
>> > flo
>> >
>> > [1]
>> >
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs
>> >
>> >  > Cheers
>> >  >
>> >  >
>> >  > --
>> >  > /Alfredo/
>> >  >
>> >  >
>> >  >
>> >  > ___
>> >  > FreeIPA-users mailing list --
>> > freeipa-users@lists.fedorahosted.org
>> > 
>> >  > To unsubscribe send an email to
>> > freeipa-users-le...@lists.fedorahosted.org
>> > 
>> >  > Fedora Code of Conduct:
>> https://getfedora.org/code-of-conduct.html
>> >  > List Guidelines:
>> > https://fedoraproject.org/wiki/Mailing_list_guidelines
>> >  > List Archives:
>> >
>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HG5BWVSUFHVZ5XT22OAHANND4P4UMJEE/
>> >  >
>> >
>> >
>> >
>> > --
>> > /Alfredo/
>> >
>> >
>> >
>> > ___
>> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> > To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
>> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GPFF573QLX2JUFGKKCLCHWKJIKKICYDJ/
>> >
>>
>>
>
> --
> *Alfredo*
>
>

-- 
*Alfredo*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/LY6JGEP2Q5MBLYFEPZ5QYRH26CWZ3H2M/

[Freeipa-users] Re: Changing domain name

2018-08-13 Thread Alfredo De Luca via FreeIPA-users 
Thanks heaps Florence. Appreciated

Alfredo


On Mon, Aug 13, 2018 at 11:42 AM Florence Blanc-Renaud 
wrote:

> On 08/13/2018 11:17 AM, Alfredo De Luca via FreeIPA-users wrote:
> > Hi Florence. yes this clarify my question. So or I will build an new
> > FreeIPA then manually add all the users/groups etc ... or maybe import
> > at least some users with some sort of ldap command?
> >
> Hi,
>
> FreeIPA provides a tool to migrate users/groups: ipa migrate-ds, see [1]
>
> Note that other objects need to be migrated manually (sudo, hbac, ...).
> The procedure involves retrieving the objects with ldapsearch into a
> ldif file, editing the ldif to replace the basedn, and importing to the
> new server.
>
> There are a few knowledge base articles related to this topic, for
> instance Migrating Your IDM Environment To a New Environment in RHEL 7
> [2]. You may also find additional information in the users mailing list.
>
> HTH,
> flo
>
> [1]
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating_from_a_directory_server_to_ipa
> [2] https://access.redhat.com/articles/2949931
>
> > Cheers
> >
> >
> > On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud  > > wrote:
> >
> > On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote:
> >  > Hi all.
> >  > We'd like to change the domain name on our freeipa (4.5.4 on
> centos
> >  > 7.5). Not the realm but only the domain
> >  > is it doable?
> >  > If so... how?
> >  >
> > Hi,
> >
> > unfortunately, no. Please have a look at IdM documentation, section
> > Host
> > Name and DNS Configuration [1]. It contains a big warning:
> > Note that the primary DNS domain and Kerberos realm cannot be changed
> > after the installation.
> >
> > Hope this clarifies,
> > flo
> >
> > [1]
> >
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs
> >
> >  > Cheers
> >  >
> >  >
> >  > --
> >  > /Alfredo/
> >  >
> >  >
> >  >
> >  > ___
> >  > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> > 
> >  > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
> > 
> >  > Fedora Code of Conduct:
> https://getfedora.org/code-of-conduct.html
> >  > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> >  > List Archives:
> >
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HG5BWVSUFHVZ5XT22OAHANND4P4UMJEE/
> >  >
> >
> >
> >
> > --
> > /Alfredo/
> >
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GPFF573QLX2JUFGKKCLCHWKJIKKICYDJ/
> >
>
>

-- 
*Alfredo*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/72FUZIYGME2QABDAOPHYBS7NBV7B2XAO/

[Freeipa-users] Re: Changing domain name

2018-08-13 Thread Alfredo De Luca via FreeIPA-users 
Hi Florence. yes this clarify my question. So or I will build an new
FreeIPA then manually add all the users/groups etc ... or maybe import at
least some users with some sort of ldap command?

Cheers


On Mon, Aug 13, 2018 at 8:38 AM Florence Blanc-Renaud 
wrote:

> On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote:
> > Hi all.
> > We'd like to change the domain name on our freeipa (4.5.4 on centos
> > 7.5). Not the realm but only the domain
> > is it doable?
> > If so... how?
> >
> Hi,
>
> unfortunately, no. Please have a look at IdM documentation, section Host
> Name and DNS Configuration [1]. It contains a big warning:
> Note that the primary DNS domain and Kerberos realm cannot be changed
> after the installation.
>
> Hope this clarifies,
> flo
>
> [1]
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs
>
> > Cheers
> >
> >
> > --
> > /Alfredo/
> >
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HG5BWVSUFHVZ5XT22OAHANND4P4UMJEE/
> >
>
>

-- 
*Alfredo*
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/GPFF573QLX2JUFGKKCLCHWKJIKKICYDJ/

[Freeipa-users] Re: Changing domain name

2018-08-13 Thread Florence Blanc-Renaud via FreeIPA-users 

On 08/11/2018 06:11 PM, Alfredo De Luca via FreeIPA-users wrote:

Hi all.
We'd like to change the domain name on our freeipa (4.5.4 on centos 
7.5). Not the realm but only the domain

is it doable?
If so... how?


Hi,

unfortunately, no. Please have a look at IdM documentation, section Host 
Name and DNS Configuration [1]. It contains a big warning:
Note that the primary DNS domain and Kerberos realm cannot be changed 
after the installation.


Hope this clarifies,
flo

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#dns-reqs



Cheers


--
/Alfredo/



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/HG5BWVSUFHVZ5XT22OAHANND4P4UMJEE/


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/SQYAIY4IM4DVWFDGBJJSLVPCZN62WYYA/