[Freeipa-devel] [PATCH] 993 disable UPG for migration
Simo Sorce
simo at redhat.com
Thu Mar 29 19:04:42 UTC 2012
On Thu, 2012-03-29 at 11:27 -0400, Rob Crittenden wrote:
> > This patch is much better and covers my previous concerns. I just
> find
> > an issue with UPG. It is not created for non-posix users when UPGs
> are
> > enabled:
> >
> > # echo "Secret123" | ipa migrate-ds ldap://ldap.example.com
> > --with-compat --base-dn="dc=greyoak,dc=com"
> > -----------
> > migrate-ds:
> > -----------
> > Migrated:
> > user: darcee_leeson, ayaz_kreiger, mnonposix, mollee_weisenberg
> > group: ipagroup
> > Failed user:
> > Failed group:
> > ----------
> > Passwords have been migrated in pre-hashed format.
> > IPA is unable to generate Kerberos keys unless provided
> > with clear text passwords. All migrated users need to
> > login at https://your.domain/ipa/migration/ before they
> > can use their Kerberos accounts.
> >
> > # ipa user-show mnonposix
> > User login: mnonposix
> > First name: Mister
> > Last name: Nonposix
> > Home directory: /home/mnonposix
> > Login shell: /bin/sh
> > UID: 328000195
> > GID: 328000195
> > Org. Unit: Product Testing
> > Job Title: Test User
> > Account disabled: False
> > Password: True
> > Member of groups: ipausers
> > Kerberos keys available: False
> >
> > # ipa group-show mnonposix
> > ipa: ERROR: mnonposix: group not found
>
> Yes, I was always disabling UPG. I now allow it when migrating a
> non-POSIX user.
by this you mean you are now transforming a non-POSIX user into a POSIX
user ?
What happen if someone has both POSIX and non-POSIX users on a server,
do you mix them ?
I have the feeling we need an explicit flag to convert a non-POSIX user
-> POSIX user, because that doesn't look to me like something people
want to do by default.
Simo.
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list