[Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated?
Tamas Papp
tompos at martos.bme.hu
Mon Jun 15 13:21:02 UTC 2015
On 06/10/2015 03:33 PM, Martin Kosek wrote:
> On 06/10/2015 03:18 PM, Tamas Papp wrote:
>> hi,
>>
>> Currently there are CentOS 6.5 servers and IPA 3.0.
>>
>> The goal is migrating users to CentOS 7.1 and IPA 4.1.
>>
>> This is the command I use:
>>
>>
>> $ ipa migrate-ds ldap://ipa11 --user-container=cn=users,cn=accounts,dc=foo
>> --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo --with-compat <
>> ~/.pw.manager
>>
>>
>> Users are migrated successfully but password must be reset, otherwise they
>> cannot logon. Any idea, what's going on?
> My guess is that their Kerberos key is also migrated. The key is not valid on
> the new installation as also Kerberos master key is different. So I would
> suggest stripping the users from their Kerberos attributes first.
>
> Some advise here:
> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
>
>> I also have a bonus question.
>> How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to
>> export/import it as ldif and that's all?
> Hmm, this should be all. Except if the users were members of for examples roles
> or privileges, you would need to migrate that membership too as mere presence
> of memberOf attribute in the sys account will not be enough.
hi,
Eventually this still doesn't work as expected.
After migrating users they cannot login to the webui.
However after logging successfully in without kerberos, in other words
in a service bound to the ldap server they can login fine on the webui too.
It's enough in our case, but normally it's not OK, I guess.
10x
tamas
More information about the Freeipa-users
mailing list