[Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated?
Rob Crittenden
rcritten at redhat.com
Thu Jun 11 12:32:28 UTC 2015
Tamas Papp wrote:
>
>
> On 06/10/2015 03:35 PM, Martin Kosek wrote:
>> On 06/10/2015 03:32 PM, Christopher Lamb wrote:
>>> Hi Tamas
>>>
>>> I think the general advice is to replicate rather than to migrate. I am
>>> sure Martin K will jump in on this.
>> Yes :-)
>>
>>> However some weeks ago, when doing a very similar move to yours, we
>>> chose
>>> to migrate (we were misled by some very old FreeIPA docus that have
>>> since
>>> been archived).
>>>
>>> In our case passwords were successfully migrated, so the users were
>>> able to
>>> use the same user / password combo as before.
>>>
>>>
>>> I will see if I can dig out the migrate command we used at the time.
>> Did you use the migration command advised in
>> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
>>
>> ?
>
> hi Martin,
>
> https://www.freeipa.org/page/Howto/Migration#Upgrading_to_new_FreeIPA_release
>
>
> I would be satisfied with this procedure.
>
> However, earlier you (actually Dmitri) posted a different one:
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
>
>
>
> Which is the right one?
> In my opinion the second one is too complicated, I would rather choose
> 'ipa migrate-ds' (we don't have machine accounts).
They are both right, in the right context.
While there are a number of steps involved in creating an EL 7 master
from an EL 6 install, you retain all current data and clients, assuming
you are using DNS SRV records, probably won't notice at all.
ipa-migrate-ds only migrates users and groups so you'll lose all sudo,
HBAC, automount, automember and more rules, plus netgroups and
hostgroups. You'd have to manually re-add all of these. You'll also end
up with a new CA (with the same name) and have to re-enroll all your
clients.
Creating a new master is probably a lot easier and less disruptive.
You'd want to leave both the EL 6 and 7 masters running for a bit
(probably days, not months) to be sure everything is working ok. Be sure
to add a new user or group on the EL 7 master before decommissionin gthe
EL 6 one. And don't forget to use the --setup-ca option when creating
the EL 7 master.
rob
More information about the Freeipa-users
mailing list