HUANG, TONY wrote: > Rob, > > I've tried the command from the website below with the same result. > Furthermore, at the FreeIPA to FreeIPA section it states "The command > doesn't migrate user private groups.", which is very strange, because my > migration becomes more complicated when i have to change group ownership > and potentially user files.
What means is that after migration the groups are no longer private. They are regular groups. > Am i doing something wrong here? What does the output of migrate-ds say about the missing groups? rob > > Thanks again for your help! > > > Tony > > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > HUANG, TONY wrote: > > Hi Rob, > > > > Thanks for the reply. > > > > User Private Group didn't get migrated. When I login I see Group > number > > being a number. > > > > How do I migrate UPG over? > > I don't see why they didn't migrate in the first place. Using your CLI > *only* groups migrated for me, not users, because of the error: > > tuser: attribute "mepManagedEntry" not allowed > > I'd suggest the migration command-line at > https://www.freeipa.org/page/Howto/Migration > > rob > > > > > Thanks very much! > > > > > > Tony > > > > > > On Mon, Apr 10, 2023, 7:34 AM Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: > > > > Tony Super via FreeIPA-users wrote: > > > Hello, > > > > > > I am trying to migrate from my an IPA server that has FIPS > > disabled to an IPA server that has FIPS enabled. Both the old and > > the new IPA will have DNS, CA, and etc. > > > > > > I ran: ipa migrate-ds --bind-dn="cn=Directory Manager" > > --user-container=cn=users,cn=accounts > > --group-container=cn=groups,cn=accounts > > --group-objectclass=posixgroup > > --user-ignore-objectclass=mepOriginEntry --with-compat > > ldap://oldipa.server.com <http://oldipa.server.com> > <http://oldipa.server.com> However, when I > > login to a client machine connected to the new IPA server, my file > > ownership becomes htony : nobody. > > > > > > What steps have I missed within the migration process? > > > > > > I've tried exporting cn=groups tree from the old IPA server > into a > > LDIF and imported to the new IPA server, but it did not solve the > > problem. > > > > Did your user-private groups migrate? Is there an htony group? > What is > > the group value in getent passwd htony? > > > > > For everything else, DNS, sudoers, automount, and etc, can I > > simply export from the old server and import into the new server? > > > > Probably. It's possible you might have to massage some of the > entries > > but I don't know of anything specific. > > > > > I also have 100+ client machines, is there an easy way where > I can > > unjoin the machines from old-ipa-server and then join to the > > new-ipa-server? (My infrastructure is Ansible-enabled) > > Take a look at the ansible-freeipa project (and not > freeipa-ansible). > > > > rob > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue