Re: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated?

Thu, 11 Jun 2015 05:37:57 -0700 

Tamas Papp wrote:



On 06/10/2015 03:35 PM, Martin Kosek wrote:

On 06/10/2015 03:32 PM, Christopher Lamb wrote:

Hi Tamas

I think the general advice is to replicate rather than to migrate. I am
sure Martin K will jump in on this.

Yes :-)


However some weeks ago, when doing a very similar move to yours, we
chose
to migrate (we were misled by some very old FreeIPA docus that have
since
been archived).

In our case passwords were successfully migrated, so the users were
able to
use the same user / password combo as before.


I will see if I can dig out the migrate command we used at the time.

Did you use the migration command advised in
https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA

?


hi Martin,

https://www.freeipa.org/page/Howto/Migration#Upgrading_to_new_FreeIPA_release


I would be satisfied with this procedure.

However, earlier you (actually Dmitri) posted a different one:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html



Which is the right one?
In my opinion the second one is too complicated, I would rather choose
'ipa migrate-ds' (we don't have machine accounts).


They are both right, in the right context.


While there are a number of steps involved in creating an EL 7 master 
from an EL 6 install, you retain all current data and clients, assuming 
you are using DNS SRV records, probably won't notice at all.



ipa-migrate-ds only migrates users and groups so you'll lose all sudo, 
HBAC, automount, automember and more rules, plus netgroups and 
hostgroups. You'd have to manually re-add all of these. You'll also end 
up with a new CA (with the same name) and have to re-enroll all your 
clients.



Creating a new master is probably a lot easier and less disruptive. 
You'd want to leave both the EL 6 and 7 masters running for a bit 
(probably days, not months) to be sure everything is working ok. Be sure 
to add a new user or group on the EL 7 master before decommissionin gthe 
EL 6 one. And don't forget to use the --setup-ca option when creating 
the EL 7 master.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






















					Reply via email to