[Freeipa-users] can migrate-ds be safely re-run if it failed...
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 15 14:36:34 UTC 2016
On Tue, 15 Mar 2016, lejeczek wrote:
>On 15/03/16 13:42, Rob Crittenden wrote:
>>lejeczek wrote:
>>>On 14/03/16 17:06, Rob Crittenden wrote:
>>>>lejeczek wrote:
>>>>>with...
>>>>>
>>>>>ipa: ERROR: group LDAP search did not return any result (search base:
>>>>>ou=groups,dc=ccnr,dc=biotechnology, objectclass: groupofuniquenames,
>>>>>groupofnames)
>>>>>
>>>>>I see users went in but later I realized that current samba's ou was
>>>>>"group" not groups.
>>>>>Can I just re-run migrations?
>>>>Yes. It will skip over anything that already exists in IPA.
>>>thanks Rob, may I ask why process by defaults looks up only objectclass:
>>>groupofuniquenames, groupofnames?
>>It is conservative but this is why it can be overridden.
>>
>>>Is there a reason it skips ldap+samba typical posixGroup &
>>>sambaGroupMapping?
>>We haven't had many (any?) reports of migrating from ldap+samba.
>>
>>>Lastly, is there a way to preserve account locked/disabled status for
>>>posix/samba?
>>I don't know how it is stored but as long as the schema is available in
>>IPA then the values should be preserved on migration unless the
>>attributes are associated with a blacklisted objectclass.
>>
>>rob
>>
>last - this must most FAQ people wonder - can IPA's 389 backend be
>used in the same/similar fashion samba uses ldap? skipping all the
>kerberos bits? (samba & IPA on the same one box)
For Samba and IPA on the same box, this is configured properly with
ipa-adtrust-install.
It uses ipasam PASSDB module instead of ldapsam. This module knows IPA
LDAP schema and is capable to do more than ldapsam, but effectively you
can use resulting Samba setup in the same way as you do with ldapsam.
The configuration is:
1. Install ipa-server-trust-ad (freeipa-server-trust-ad on Fedora)
2. Run ipa-adtrust-install to configure both IPA and Samba.
3. Use 'net conf' tool to manage shares.
4. Use POSIX ACLs to set up access rights on the file system. See
https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html
for inspiration.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list