[Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated?
Martin Kosek
mkosek at redhat.com
Wed Jun 10 13:33:08 UTC 2015
On 06/10/2015 03:18 PM, Tamas Papp wrote:
> hi,
>
> Currently there are CentOS 6.5 servers and IPA 3.0.
>
> The goal is migrating users to CentOS 7.1 and IPA 4.1.
>
> This is the command I use:
>
>
> $ ipa migrate-ds ldap://ipa11 --user-container=cn=users,cn=accounts,dc=foo
> --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo --with-compat <
> ~/.pw.manager
>
>
> Users are migrated successfully but password must be reset, otherwise they
> cannot logon. Any idea, what's going on?
My guess is that their Kerberos key is also migrated. The key is not valid on
the new installation as also Kerberos master key is different. So I would
suggest stripping the users from their Kerberos attributes first.
Some advise here:
https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
> I also have a bonus question.
> How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to
> export/import it as ldif and that's all?
Hmm, this should be all. Except if the users were members of for examples roles
or privileges, you would need to migrate that membership too as mere presence
of memberOf attribute in the sys account will not be enough.
More information about the Freeipa-users
mailing list