Re: [Freeipa-users] copying through intermediate host. SOLVED
Ok, so I managed to get this fixed, It turned out that I ssh port-forwarded in the wrong direction. So the solution is as follows: [workstation1]# ssh -L 9000:localhost:389 root@server1 [server1]# [workstation1]# ssh -R 9100:localhost:9000 root@server2 [server2]# echo password | ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://localhost:9100 --- migrate-ds: --- Migrated: -- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. The main thing I missed was that I thought that the ldap:// URI in ipa migrate-ds should point to the receiving server, since the documentation explains that migrate-ds exports data. In reality, migrate-ds imports data from the mentioned ldap uri and into the locally running ipa server. So it should be run on the receiving host. /tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] copying through intermediate host.
Replying to myself here, I do that sometimes when I feel alone ;) I actually tried ssh port forwarding and relaying through workstation1, like so: ssh -L 9000:localhost:389 root@server2 (in one terminal) ssh -R 9100:localhost:9000 root@server1 (in another terminal) And then, on server1: echo password | ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://localhost:9100 But I get: ipa: ERROR: Insufficient access: Invalid credentials Even though the password _is_ correct and port 9100 is connected to ipa on server2: [server1]# ldapsearch -x -h localhost:9100 -b dc=server2,dc=server2net uid=admin # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=admin # requesting: ALL # # admin, users, compat, server2.server2net dn: uid=admin,cn=users,cn=compat,dc=server2,dc=server2net cn: Administrator objectClass: posixAccount objectClass: ipaOverrideTarget So, I can connect to server2 on server1's port 9100 but I can't get ipa migrate-ds to use it. And I did a kinit admin on server1 first ;) Any suggestione are appreciated. /tony On Fri, 2016-07-08 at 08:50 +, Tony Brian Albers wrote: > Hi Guys, > > I'm trying to copy relevant users and groups from one IPA > server(server1) to another(server2). This is they can't talk to one > another, they can't even establish connections to something outside > their own networks. SSH into the servers from where I am(workstation1) > works fine for both of them. > > Is there a way to use ipa migrate-ds and get it to dump to a file that I > can import on server2? > > The network layout is like this > server1<>firewall2>>server2 > > So, the firewalls allow connections from workstation1 to server 1 and > server2, but not from server1 to server2 or from either server1 or > server2 to workstation1. > > The easy solution would be dumping the necessary info from the IPA > server to a file and then import it on the other server. > > Any suggestions? I've looked a bit at ssh port forwarding, but I can't > really get an idea as how to relay the two connections to the servers to > oneanother. > > Thanks, > > Tony > > -- > Best regards, > > Tony Albers > Systems administrator, IT-development > State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. > Tel: +45 8946 2316 > > > > -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] copying through intermediate host.
Hi Guys, I'm trying to copy relevant users and groups from one IPA server(server1) to another(server2). This is they can't talk to one another, they can't even establish connections to something outside their own networks. SSH into the servers from where I am(workstation1) works fine for both of them. Is there a way to use ipa migrate-ds and get it to dump to a file that I can import on server2? The network layout is like this server1<>firewall2>>server2 So, the firewalls allow connections from workstation1 to server 1 and server2, but not from server1 to server2 or from either server1 or server2 to workstation1. The easy solution would be dumping the necessary info from the IPA server to a file and then import it on the other server. Any suggestions? I've looked a bit at ssh port forwarding, but I can't really get an idea as how to relay the two connections to the servers to oneanother. Thanks, Tony -- Best regards, Tony Albers Systems administrator, IT-development State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark. Tel: +45 8946 2316 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project