> On to, 16 kesä 2022, rui liang via FreeIPA-users wrote: > > You don't. None of Kerberos content is migratable this way. New > deployment would have different master keys and most likely also > different Kerberos realm. > > If you don't plan to change IPA Kebreros realm, using replica approach > is better and should be used instead. > > > This page explicitly states: > > Users and groups can be migrated using the migrate-ds command, just like > with any other LDAP based identity management server. You just need to > make sure that FreeIPA Kerberos related attributes are not migrated as > they need to be generated again by the new FreeIPA server and it's new > Kerberos settings or keys.
Method 3: Using SSSD (Recommended) SSSD attempts to perform Kerberos authentication against the IdM server. IdM intercepts this bind request. If the user has a Kerberos principal but no Kerberos hashes, then the IdM identity provider generates the hashes and stores them in the user entry. If authentication is successful, SSSD disconnects from IdM and tries Kerberos authentication again. This time, the request succeeds because the hash exists in the entry. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/Migrating_from_a_Directory_Server_to_IPA#sssd-pwd-migr The description here seems to solve this problem, but is there a detailed tutorial on how to do it?thank you _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
