[Freeipa-users] Migrate users with password from one IPA to another
Rob Crittenden
rcritten at redhat.com
Thu Aug 25 17:44:44 UTC 2016
Rene Trippen wrote:
> Hi,
>
> I`ve got an IPA with a broken CA infrastructure (don`t know what
> happened, but new clients cannot be registered)
> It is even not possible to setup a new replica.
It may be fairly straightforward to getting the CA back up. How is it
broken?
> So, I wanted to setup a new IPA Server with new CA, and I want to move
> all users with their passwords to the new IPA instance.
> I`ve tried with 'ipa migrate-ds'
>
> ipa migrate-ds --continue --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> --group-overwrite-gid --with-compat ldap://<ldapserver>
>
> The output is OK
> =======
> Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.
> ========
>
> But the ipa/migration website is not working for me.
> Anyway, is there a way to export the users with passwords? I think I
> have to export some kerberos specific stuff from the old IPA?
The log file /var/log/httpd/error_log may have details on what isn't
working.
The way to export users with passwords is the method you've already
tried. To not have to change a password at all would require the same
Kerberos master key and these are generated randomly at install time.
rob
More information about the Freeipa-users
mailing list