HUANG, TONY wrote: > Hello Rob, > > I just want to provide feedback that your command worked. I must have > done something wrong initially. I am able to migrate all of the user > private groups over to the new IPA - although it all became regular > POSIX groups, at least I don't have to change permissions for 500+ > users. Thanks very much! > > Now my next goal is to try to do "ipa migrate-ds ..." into an Ansible > task after a brand new IPA server install. Will be interesting to see > how I can run this in an idempotent way ... > > Thanks Rob!
Sure thing, very glad you got it working. Thanks for following up. cheers rob > > > --Tony > > On Thu, Apr 13, 2023 at 6:39 AM Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> wrote: > > HUANG, TONY wrote: > > Hi Rob, > > > > Just curious, does your old-ipa-server have User Private Group > disabled > > or enabled? Same question goes for your newly migrated IPA server. > > Enabled on both. > > > I may end up disabling the use of User Private Group on the new server > > and default everyone to "ipausers" Group. > > I wouldn't get hung up on UPG. Internally it's a bit of a trick to have > a group without allowing other members. The user and group are linked by > the 389-ds managed entry plugin so that if owner (user) is removed, the > group goes with it. > > Migration doesn't know how to deal with this, because it's IPA-specific > and it is more geared towards generic LDAP, so the mep* attributes and > objectclasses need to be dropped and it essentially converts the private > group into a general one. > > But this isn't your problem, I don't think. What you've been saying is > that the groups don't transfer at all. > > rob > > > I'll see what I can do about getting the logs out. > > > > Thanks very much Rob! > > > > > > Tony > > > > On Wed, Apr 12, 2023, 10:11 AM Rob Crittenden <rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote: > > > > HUANG, TONY wrote: > > > Hi Rob, > > > > > > I have been starting from scratch. I will check my logs > again. My > > > environment is disconnected from the Internet and I can't > easily copy > > > and paste to the thread. My IPA version is the same going > from the old > > > to the new (4.8 I believe). The reason I had to do IPA to IPA > > migration > > > is because my old one is not FIPS enabled where as my new > one is FIPS > > > enabled, therefore, I can't just replicate it by promoting it > > > > > > When your "ipa migrate-ds" worked for you, did you also get > nobody as > > > your group ownership to the files in your home directory? > Similar to > > > when I login to the client machine connected to the newly > migrated IPA > > > server, I get /usr/bin/id Cannot find name with GID 6314001, and > > ls - l > > > /home/htony shows htony : nobody on all of my files and > directories. > > > > No, everything is looking fine. The nss commands like getent > and id all > > show the properly resolved group names. > > > > > Red Hat support is telling me to delete the users and re-create > > them .. > > > which defeats the purpose of running ipa migrate-ds ... and > I have > > many > > > users and home directories on a NFS share. > > > > They may be confused by UPG. There currently no way to add a > UPG to an > > existing user, so re-creating the user is the only way. > > > > > I am fine if there is no way to do this migration easily, > but before > > > coming to that conclusion I am trying to find a way forward. > > > > It's hard to help without seeing what is going on beyond the > symptom. > > Like I said, the migration cli I provided works for me. > > > > rob > > > > > > > > Thanks again! > > > > > > --Tony > > > > > > > > > On Tue, Apr 11, 2023 at 11:15 AM Rob Crittenden > > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> wrote: > > > > > > HUANG, TONY wrote: > > > > Hi Rob, > > > > > > > > I've asked Red Hat support, and the support engineer is > > telling me > > > that > > > > it doesn't support migrating of User Private Group and has > > pointed me > > > > over > to https://bugzilla.redhat.com/show_bug.cgi?id=1261536 The > > > support > > > > engineer is also asking me to create new UPG. > > > > > > It's true that migrating UPG is not possible. The group is > > converted > > > into a standard group. You can't create UPG manually by > > default. I was > > > curious one day and worked out a way to re-attach a > group, but > > that's a > > > different problem. > > > > > > I don't think you've ever said which version of IPA you are > > migrating > > > from/to. Versions sometimes can make a big difference. > > > > > > You also aren't saying what you are doing in between > attempts. > > Are you > > > fully starting over in between executions or re-running > > migrate-ds? It > > > would be truly helpful to see the output of the command when > > groups fail > > > to migrate. If it fails it will say so. If it doesn't > include > > the groups > > > at all then it isn't finding them. > > > > > > migrate-ds doesn't do anything particularly complicated. It > > does LDAP > > > searches for the various objects. For group since you > specified > > > --group-objectclass=posixaccount it's going to search > for all > > of those. > > > This should be visible in your access log. > > > > > > This works for me: > > > > > > ipa migrate-ds --bind-dn="cn=Directory Manager" > > > --user-container=cn=users,cn=accounts > > > --group-container=cn=groups,cn=accounts > > --group-objectclass=posixgroup > > > > > > > --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} > > > --user-ignore-objectclass mepOriginEntry > > > --group-ignore-attribute=mepmanagedby > > > --group-ignore-objectclass=mepmanagedEntry --with-compat > > > ldap://ipa.example.test > > > > > > > Now my question is if ipa migrate-ds doesn't support > > migration of UPG, > > > > then how do I move forward after running ipa migrate-ds? I > > currently > > > > have GIDs that don't associate to usernames and group file > > > ownership is > > > > nobody. > > > > > > Like I said, it doesn't migrate UPG and continue to be UPG, > > but it will > > > migrate the groups. > > > > > > > Looking to see if anyone in the community has done an > IPA to IPA > > > > migration ... > > > > > > Have you searched the list archives? > > > > > > rob > > > > > > > > > > > Thanks! > > > > > > > > On Mon, Apr 10, 2023 at 10:26 AM Rob Crittenden > > > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>> wrote: > > > > > > > > HUANG, TONY wrote: > > > > > I didn't get any errors regarding user private > groups at > > > all, and the > > > > > UPGs didn't even get migrated to become regular > POSIX UNIX > > > groups > > > > > either. They are just not there, so when I login > I see > > a message > > > > > complaining that /usr/bin/id cannot find my > group name. > > > > > > > > They may not be reported as errors, just part of > the output. > > > > > > > > You might also want to look at your private groups > in the > > > original IPA > > > > to ensure they have the posixgroup objectclass. > That is > > the search > > > > filter being used. > > > > > > > > rob > > > > > > > > > > > > > > I've tried importing the entire cn=groups, but > it didn't > > > solve the > > > > > missing UPG problem at all. > > > > > > > > > > On Mon, Apr 10, 2023, 9:59 AM Rob Crittenden > > > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> > > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>>> wrote: > > > > > > > > > > HUANG, TONY wrote: > > > > > > Rob, > > > > > > > > > > > > I've tried the command from the website below > > with the > > > same > > > > result. > > > > > > Furthermore, at the FreeIPA to FreeIPA section > > it states > > > > "The command > > > > > > doesn't migrate user private groups.", > which is > > > very strange, > > > > > because my > > > > > > migration becomes more complicated when i > have to > > > change group > > > > > ownership > > > > > > and potentially user files. > > > > > > > > > > What means is that after migration the > groups are > > no longer > > > > private. > > > > > They are regular groups. > > > > > > > > > > > Am i doing something wrong here? > > > > > > > > > > What does the output of migrate-ds say about the > > missing > > > groups? > > > > > > > > > > rob > > > > > > > > > > > > > > > > > Thanks again for your help! > > > > > > > > > > > > > > > > > > Tony > > > > > > > > > > > > > > > > > > On Mon, Apr 10, 2023, 9:06 AM Rob Crittenden > > > > <rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> > > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>> > > > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>>>> wrote: > > > > > > > > > > > > HUANG, TONY wrote: > > > > > > > Hi Rob, > > > > > > > > > > > > > > Thanks for the reply. > > > > > > > > > > > > > > User Private Group didn't get > migrated. When I > > > login I > > > > see Group > > > > > > number > > > > > > > being a number. > > > > > > > > > > > > > > How do I migrate UPG over? > > > > > > > > > > > > I don't see why they didn't migrate in > the first > > > place. > > > > Using > > > > > your CLI > > > > > > *only* groups migrated for me, not users, > > because > > > of the > > > > error: > > > > > > > > > > > > tuser: attribute "mepManagedEntry" > not allowed > > > > > > > > > > > > I'd suggest the migration command-line at > > > > > > > https://www.freeipa.org/page/Howto/Migration > > > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > Thanks very much! > > > > > > > > > > > > > > > > > > > > > Tony > > > > > > > > > > > > > > > > > > > > > On Mon, Apr 10, 2023, 7:34 AM Rob > Crittenden > > > > > <rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>> > > > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>>> > > > > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>> > > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>> > > > > <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com> <mailto:rcrit...@redhat.com > <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> > > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>> > > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com> > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>>>>>>> wrote: > > > > > > > > > > > > > > Tony Super via FreeIPA-users wrote: > > > > > > > > Hello, > > > > > > > > > > > > > > > > I am trying to migrate from my an > > IPA server > > > > that has FIPS > > > > > > > disabled to an IPA server that > has FIPS > > > enabled. Both > > > > > the old and > > > > > > > the new IPA will have DNS, CA, > and etc. > > > > > > > > > > > > > > > > I ran: ipa migrate-ds > > --bind-dn="cn=Directory > > > > Manager" > > > > > > > > --user-container=cn=users,cn=accounts > > > > > > > > --group-container=cn=groups,cn=accounts > > > > > > > --group-objectclass=posixgroup > > > > > > > > --user-ignore-objectclass=mepOriginEntry > > > --with-compat > > > > > > > ldap://oldipa.server.com > <http://oldipa.server.com> > > <http://oldipa.server.com> > > > <http://oldipa.server.com> > > > > <http://oldipa.server.com> <http://oldipa.server.com> > > > > > <http://oldipa.server.com> > > > > > > <http://oldipa.server.com> However, when I > > > > > > > login to a client machine > connected to the > > > new IPA > > > > > server, my file > > > > > > > ownership becomes htony : nobody. > > > > > > > > > > > > > > > > What steps have I missed > within the > > migration > > > > process? > > > > > > > > > > > > > > > > I've tried exporting cn=groups > tree from > > > the old IPA > > > > > server > > > > > > into a > > > > > > > LDIF and imported to the new IPA > > server, but it > > > > did not > > > > > solve the > > > > > > > problem. > > > > > > > > > > > > > > Did your user-private groups > migrate? Is > > > there an > > > > htony > > > > > group? > > > > > > What is > > > > > > > the group value in getent passwd > htony? > > > > > > > > > > > > > > > For everything else, DNS, sudoers, > > automount, > > > > and etc, > > > > > can I > > > > > > > simply export from the old > server and > > import > > > into the > > > > > new server? > > > > > > > > > > > > > > Probably. It's possible you > might have to > > > massage some > > > > > of the > > > > > > entries > > > > > > > but I don't know of anything > specific. > > > > > > > > > > > > > > > I also have 100+ client > machines, is > > there an > > > > easy way > > > > > where > > > > > > I can > > > > > > > unjoin the machines from > > old-ipa-server and then > > > > join to the > > > > > > > new-ipa-server? (My > infrastructure is > > > Ansible-enabled) > > > > > > > Take a look at the > ansible-freeipa project > > > (and not > > > > > > freeipa-ansible). > > > > > > > > > > > > > > rob > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
