Finn Fysj via FreeIPA-users wrote: >> Finn Fysj via FreeIPA-users wrote: >> >> If you migrate the Kerberos keys and principals they will be for the >> original realm and will not work. >> >> LDAP passwords are migrated by allowing password migration in >> ipa-config. When this mode is enabled, if an LDAP bind occurs and there >> are no Kerberos keys then they are generated automatically if they don't >> already exist. >> >> >> Because it sounds like you aren't using Kerberos at all. >> >> >> RHEL and Fedora have used private user groups for decades now. The >> definition being that when a user is created they get a group with the >> same id and no members. >> >> An IPA user-private group is similar in nature in that it has the same >> uid/gid. It also lacks the objectclasses to allow members. >> >> A migrated group will retain the same GID but is a regular group. >> >> This is most noticeable when you have a lot of users, so therefore a lot >> of private groups. Private groups are filtered out by default when >> looking at the list of groups. That will not happen after migration. >> >> I'm really not sure what your use-case is here. Do you have an existing >> broken IPA server? I have the impression you are starting out new. >> >> rob > > FIrstly thank you for taking your time, Rob. > > We have an existing IPA server running on RHEL7 and our goal is to create two > new IPA server on RHEL9 (master & replica). > We therefore want to migrate USERS & GROUPS only from the existing IPA server > using ipa migrate-ds. > The end goal look something like: Only to use the IPA servers as LDAP server > and load balance the these two. It basically gives us LDAP servers w/ GUI. > Replacing FreeIPA is not an option. > > I'm therefore curious what the risks may be if we're leaving out migrating > UPGs, and secondly your thoughts on this approach. >
UPGs cannot be migrated at all. There is no risk. Some find it annoying to see a bunch of single-user groups in the interface, that's all. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
