[Freeipa-devel] [PATCH] 993 disable UPG for migration
Rob Crittenden
rcritten at redhat.com
Thu Mar 29 19:25:49 UTC 2012
Simo Sorce wrote:
> On Thu, 2012-03-29 at 11:27 -0400, Rob Crittenden wrote:
>>> This patch is much better and covers my previous concerns. I just
>> find
>>> an issue with UPG. It is not created for non-posix users when UPGs
>> are
>>> enabled:
>>>
>>> # echo "Secret123" | ipa migrate-ds ldap://ldap.example.com
>>> --with-compat --base-dn="dc=greyoak,dc=com"
>>> -----------
>>> migrate-ds:
>>> -----------
>>> Migrated:
>>> user: darcee_leeson, ayaz_kreiger, mnonposix, mollee_weisenberg
>>> group: ipagroup
>>> Failed user:
>>> Failed group:
>>> ----------
>>> Passwords have been migrated in pre-hashed format.
>>> IPA is unable to generate Kerberos keys unless provided
>>> with clear text passwords. All migrated users need to
>>> login at https://your.domain/ipa/migration/ before they
>>> can use their Kerberos accounts.
>>>
>>> # ipa user-show mnonposix
>>> User login: mnonposix
>>> First name: Mister
>>> Last name: Nonposix
>>> Home directory: /home/mnonposix
>>> Login shell: /bin/sh
>>> UID: 328000195
>>> GID: 328000195
>>> Org. Unit: Product Testing
>>> Job Title: Test User
>>> Account disabled: False
>>> Password: True
>>> Member of groups: ipausers
>>> Kerberos keys available: False
>>>
>>> # ipa group-show mnonposix
>>> ipa: ERROR: mnonposix: group not found
>>
>> Yes, I was always disabling UPG. I now allow it when migrating a
>> non-POSIX user.
>
> by this you mean you are now transforming a non-POSIX user into a POSIX
> user ?
>
> What happen if someone has both POSIX and non-POSIX users on a server,
> do you mix them ?
The existing POSIX users are migrated as-is, non-POSIX users become full
IPA users with UPG.
> I have the feeling we need an explicit flag to convert a non-POSIX user
> -> POSIX user, because that doesn't look to me like something people
> want to do by default.
What makes you say that?
rob
More information about the Freeipa-devel
mailing list