[Freeipa-devel] [PATCH] 993 disable UPG for migration
Simo Sorce
simo at redhat.com
Thu Mar 29 19:27:58 UTC 2012
On Thu, 2012-03-29 at 15:25 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Thu, 2012-03-29 at 11:27 -0400, Rob Crittenden wrote:
> >>> This patch is much better and covers my previous concerns. I just
> >> find
> >>> an issue with UPG. It is not created for non-posix users when UPGs
> >> are
> >>> enabled:
> >>>
> >>> # echo "Secret123" | ipa migrate-ds ldap://ldap.example.com
> >>> --with-compat --base-dn="dc=greyoak,dc=com"
> >>> -----------
> >>> migrate-ds:
> >>> -----------
> >>> Migrated:
> >>> user: darcee_leeson, ayaz_kreiger, mnonposix, mollee_weisenberg
> >>> group: ipagroup
> >>> Failed user:
> >>> Failed group:
> >>> ----------
> >>> Passwords have been migrated in pre-hashed format.
> >>> IPA is unable to generate Kerberos keys unless provided
> >>> with clear text passwords. All migrated users need to
> >>> login at https://your.domain/ipa/migration/ before they
> >>> can use their Kerberos accounts.
> >>>
> >>> # ipa user-show mnonposix
> >>> User login: mnonposix
> >>> First name: Mister
> >>> Last name: Nonposix
> >>> Home directory: /home/mnonposix
> >>> Login shell: /bin/sh
> >>> UID: 328000195
> >>> GID: 328000195
> >>> Org. Unit: Product Testing
> >>> Job Title: Test User
> >>> Account disabled: False
> >>> Password: True
> >>> Member of groups: ipausers
> >>> Kerberos keys available: False
> >>>
> >>> # ipa group-show mnonposix
> >>> ipa: ERROR: mnonposix: group not found
> >>
> >> Yes, I was always disabling UPG. I now allow it when migrating a
> >> non-POSIX user.
> >
> > by this you mean you are now transforming a non-POSIX user into a POSIX
> > user ?
> >
> > What happen if someone has both POSIX and non-POSIX users on a server,
> > do you mix them ?
>
> The existing POSIX users are migrated as-is, non-POSIX users become full
> IPA users with UPG.
>
> > I have the feeling we need an explicit flag to convert a non-POSIX user
> > -> POSIX user, because that doesn't look to me like something people
> > want to do by default.
>
> What makes you say that?
Well if I had non-POSIX users in my directory they would be some sort of
addressbook, and I certainly wouldn't want them converted into posix
users in freeipa.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list