[Freeipa-users] export users/groups from one ipa server to another
Martin Kosek
mkosek at redhat.com
Mon Jan 20 08:21:27 UTC 2014
On 01/17/2014 11:06 PM, Dmitri Pal wrote:
> On 01/17/2014 03:59 PM, Rob Crittenden wrote:
>> Les Stott wrote:
>>>> The first time your migrated production users authenticate with their
>>>> password their Kerberos credentials will be generated.
>>>
>>> Is there a way to avoid this?
>>>
>>> I had to do that for importing shadow files originally in DR. now,
>>> i'm going from freeipa to freeipa. if i export kerberos attributes
>>> will that avoid users having to regenerate the kerberos credentials?
>>
>> No. The kerberos master keys are different.
>
> Unless you want to copy master keys over.
> This is a complex manual procedure. You can probably find it in the
> archives as we helped people with it couple times but it is not recommended.
>
> May be we should open an RFE to develop a tool that would do
> ipa-migrate-ipa and can be used to move data from POC to production.
We have a RFE open for that feature already:
https://fedorahosted.org/freeipa/ticket/3656
I added a reference to this discussion on the list. Contributions or other
ideas are very welcome!
Martin
More information about the Freeipa-users
mailing list