On Срд, 27 вер 2023, Finn Fysj via FreeIPA-users wrote:
Finn Fysj via FreeIPA-users wrote:
If you migrate the Kerberos keys and principals they will be for the
original realm and will not work.
LDAP passwords are migrated by allowing password migration in
ipa-config. When this mode is enabled, if an LDAP bind occurs and there
are no Kerberos keys then they are generated automatically if they don't
already exist.
Because it sounds like you aren't using Kerberos at all.
RHEL and Fedora have used private user groups for decades now. The
definition being that when a user is created they get a group with the
same id and no members.
An IPA user-private group is similar in nature in that it has the same
uid/gid. It also lacks the objectclasses to allow members.
A migrated group will retain the same GID but is a regular group.
This is most noticeable when you have a lot of users, so therefore a lot
of private groups. Private groups are filtered out by default when
looking at the list of groups. That will not happen after migration.
I'm really not sure what your use-case is here. Do you have an existing
broken IPA server? I have the impression you are starting out new.
rob
FIrstly thank you for taking your time, Rob.
We have an existing IPA server running on RHEL7 and our goal is to
create two new IPA server on RHEL9 (master & replica). We therefore
want to migrate USERS & GROUPS only from the existing IPA server using
ipa migrate-ds. The end goal look something like: Only to use the IPA
servers as LDAP server and load balance the these two. It basically
gives us LDAP servers w/ GUI. Replacing FreeIPA is not an option.
I'm therefore curious what the risks may be if we're leaving out
migrating UPGs, and secondly your thoughts on this approach.
I would question rather why you want migration of IPA deployment instead
of just adding those two RHEL 9 servers into existing deployment and
then retiring the old (RHEL 7) server.
Sure, this is not possible directly, only through a temporary RHEL 8
replica first, but that would keep all your data intact.
Please see
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8
and
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
