[Freeipa-users] copying through intermediate host. SOLVED

[Tony Brian Albers]

Ok, so I managed to get this fixed, It turned out that I ssh
port-forwarded in the wrong direction.  So the solution is as follows:

[workstation1]# ssh -L 9000:localhost:389 root at server1
[server1]# 

[workstation1]# ssh -R 9100:localhost:9000 root at server2
[server2]# echo password | ipa migrate-ds --bind-dn="cn=Directory
Manager" --user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://localhost:9100
-----------
migrate-ds:
-----------
Migrated: 
............
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.



The main thing I missed was that I thought that the ldap:// URI in ipa
migrate-ds should point to the receiving server, since the documentation
explains that migrate-ds exports data. In reality, migrate-ds imports
data from the mentioned ldap uri and into the locally running ipa
server. So it should be run on the receiving host.

/tony





-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316