Hi, it seems that last issue I had (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...) has no easy resolution, so I'll try to bypass it.
What is the best way to migrate an IPA setup? Maybe "ipa migrate-ds"? My goal is to reinstall from scratch an IPA server, and import (at least) users, groups and group membership.
What will remain to do after that? Rejoin all clients? Rebuild HBAC? Add misc services (nfs, ...)? What else?
P.S. I could even change the domain name (e.g. old domain: my.dom.ain, new domain: second.dom.ain).
TIA, Giulio Casella
Giulio Casella via FreeIPA-users wrote:
Hi, it seems that last issue I had (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...) has no easy resolution, so I'll try to bypass it.
I think the 389-ds team will be needed to help diagnose what is going on.
What is the best way to migrate an IPA setup? Maybe "ipa migrate-ds"? My goal is to reinstall from scratch an IPA server, and import (at least) users, groups and group membership.
migrate-ds will do that but it loses user-private groups (they are migrated as regular groups) and any role memberships.
What will remain to do after that? Rejoin all clients? Rebuild HBAC? Add misc services (nfs, ...)? What else?
Yeah, basically re-do all your customization: HBAC, sudo, automount, etc.
P.S. I could even change the domain name (e.g. old domain: my.dom.ain, new domain: second.dom.ain).
A new REALM would make it more obvious which clients need to be re-enrolled but it isn't mandatory per-se.
rob
Giulio Casella wrote:
Il 05/04/2019 17:24, Rob Crittenden ha scritto:
migrate-ds will do that but it loses user-private groups (they are migrated as regular groups)
You mean that imported users won't have their own private group? Or they'll have two group, one private and one regular?
The user will have a private group in that the name of the user and group will match and uid == gid.
A default UPG group in IPA lacks the ability to have members and is filtered out from group-find.
A migrated group will be just a normal group so user groups will show up with group-find.
rob
freeipa-users@lists.fedorahosted.org