[Freeipa-users] can migrate-ds be safely re-run if it failed...
lejeczek
peljasz at yahoo.co.uk
Tue Mar 29 09:12:36 UTC 2016
On 15/03/16 14:36, Alexander Bokovoy wrote:
> On Tue, 15 Mar 2016, lejeczek wrote:
>> On 15/03/16 13:42, Rob Crittenden wrote:
>>> lejeczek wrote:
>>>> On 14/03/16 17:06, Rob Crittenden wrote:
>>>>> lejeczek wrote:
>>>>>> with...
>>>>>>
>>>>>> ipa: ERROR: group LDAP search did not return any
>>>>>> result (search base:
>>>>>> ou=groups,dc=ccnr,dc=biotechnology, objectclass:
>>>>>> groupofuniquenames,
>>>>>> groupofnames)
>>>>>>
>>>>>> I see users went in but later I realized that current
>>>>>> samba's ou was
>>>>>> "group" not groups.
>>>>>> Can I just re-run migrations?
>>>>> Yes. It will skip over anything that already exists in
>>>>> IPA.
>>>> thanks Rob, may I ask why process by defaults looks up
>>>> only objectclass:
>>>> groupofuniquenames, groupofnames?
>>> It is conservative but this is why it can be overridden.
>>>
>>>> Is there a reason it skips ldap+samba typical posixGroup &
>>>> sambaGroupMapping?
>>> We haven't had many (any?) reports of migrating from
>>> ldap+samba.
>>>
>>>> Lastly, is there a way to preserve account
>>>> locked/disabled status for
>>>> posix/samba?
>>> I don't know how it is stored but as long as the schema
>>> is available in
>>> IPA then the values should be preserved on migration
>>> unless the
>>> attributes are associated with a blacklisted objectclass.
>>>
>>> rob
>>>
>> last - this must most FAQ people wonder - can IPA's 389
>> backend be used in the same/similar fashion samba uses
>> ldap? skipping all the kerberos bits? (samba & IPA on the
>> same one box)
> For Samba and IPA on the same box, this is configured
> properly with
> ipa-adtrust-install.
when I started I thought to make this samba<=>ipa chatter
more constructive I should do ... so I wound up with
samba(@openldap) having/using the same DN as IPA has in 389.
Will it work to do ipa-addtrust-install on that one box with
samba+ipa ?
many thanks
L.
>
> It uses ipasam PASSDB module instead of ldapsam. This
> module knows IPA
> LDAP schema and is capable to do more than ldapsam, but
> effectively you
> can use resulting Samba setup in the same way as you do
> with ldapsam.
>
> The configuration is:
>
> 1. Install ipa-server-trust-ad (freeipa-server-trust-ad on
> Fedora)
> 2. Run ipa-adtrust-install to configure both IPA and Samba.
> 3. Use 'net conf' tool to manage shares.
> 4. Use POSIX ACLs to set up access rights on the file
> system. See
> https://www.redhat.com/archives/freeipa-users/2013-April/msg00270.html
>
> for inspiration.
>
More information about the Freeipa-users
mailing list