#6101 Migrating users doesn't update krbCanonicalName
Closed: Fixed None Opened 7 years ago by pvomacka.

Description of problem: [[BR]]
It is not possible to kinit as user after migrating users from one freeIPA server to another. The problem is that after migrating the krbCanonicalName stay unchanged (has old realm). krbPrincipalName is updated correctly.[[BR]]

Steps to reproduce: [[BR]]
1) Install two freeIPA servers[[BR]]
2) Create several users on the first one[[BR]]
3) Set passwords to these users[[BR]]
4) Use migrate-ds to migrate users to the second freeIPA[[BR]]
5) Try to login as migrated user[[BR]]
Actual result: kinit user returns the following error:

kinit: Client 't2@FIPA2.EXAMPLE.COM' not found in Kerberos database while getting initial credentials

Thinking about it, what is the command you used for migration? Workaround might be to add krbCanonicalName to list of ignored attributes. I.e. extend the list of attrs in https://www.freeipa.org/page/Howto/Migration

I originaly used this command:

ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --with-compat ldap://fipa1.example.com:389

Now I tried migration also using these two commands:

ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute=krbCanonicalName --with-compat ldap://fipa1.example.com:389


ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbCanonicalName,krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry ldap://fipa1.example.com:389

The last two configuration of migration helped and kinit as user worked as expected. But logging into WebUI (#6102) still hasn't worked.

devmtg: must be fixed in migrate-ds


  • 1a04edd re-set canonical principal name on migrated users

Metadata Update from @pvomacka:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.4.1

7 years ago

Login to comment on this ticket.