Re: upgrade to 7.1 and migrating users
- To: debian-edu@lists.debian.org
- Subject: Re: upgrade to 7.1 and migrating users
- From: Petter Reinholdtsen <pere@hungry.com>
- Date: Mon, 06 Jan 2014 22:34:12 +0100
- Message-id: <[🔎] 2fl1u0kztez.fsf@diskless.uio.no>
- In-reply-to: <20131003071936.GP24958@ulrik.uio.no>
- References: <l2clti$t6n$1@ger.gmane.org> <20130930203934.GA21190@diskless.uio.no> <20131002082042.Horde.vREBNe3BEkjBmrxX6WOteA1@mail.das-netzwerkteam.de> <20131003071936.GP24958@ulrik.uio.no>
I finally had time to look at migrating LDAP from squeeze to wheezy
again, and discovered a few problems with my initial approach. The
script ldap-migrate-squeeze-wheezy in is now updated to handle more LDAP
object types (user, filegroups, netgroups, sudo roles, hosts), and also
include a recipe to get the kerberos part of the users migrated betewen
servers.
The problem I discovered was that the krbPrincipalKey attribute is not
usable between kerberos servers, as it contain the users password
encrypted with the server master key. Without also copying the old
servers master key, the users are unable to log in. See the usage
information in the script to see how to do this. I am very grateful to
Russ Allbery and Sam Hartman, the kerberos maintainers in Debian, for
their clues on how to migrate kerberos users from the old to the new
server.
The script isn't well tested, but my initial testing tell me it should
work. I hope it will work for you too. :)
--
Happy hacking
Petter Reinholdtsen
Reply to: