Suchen
SupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 5. Migrating from synchronization to trust automatically by using ipa-winsync-migrate

download PDF

In RHEL 8, the synchronization approach to integrating RHEL systems into Active Directory (AD) indirectly is deprecated. Red Hat recommends migrating to the approach based on a trust between Identity Management (IdM) and AD instead. This chapter describes how to migrate from synchronization to trust automatically, by using the ipa-winsync-migrate utility.

5.1. Automatic migration from synchronization to trust by using ipa-winsync-migrate

The ipa-winsync-migrate utility migrates all synchronized users from an AD forest, while preserving the existing configuration in the Winsync environment and transferring it into the AD trust. For each AD user created by the Winsync agreement, ipa-winsync-migrate creates an ID override in the Default Trust View.

After the migration completes:

  • The ID overrides for the AD users have the following attributes copied from the original entry in Winsync:

    • Login name (uid)
    • UID number (uidnumber)
    • GID number (gidnumber)
    • Home directory (homedirectory)
    • GECOS entry (gecos)

  • The user accounts in the AD trust keep their original configuration in IdM, which includes:

    • POSIX attributes
    • User groups
    • Role-based access control rules
    • Host-based access control rules
    • SELinux membership
    • sudo rules
  • The new AD users are added as members of an external IdM group.
  • The original Winsync replication agreement, the original synchronized user accounts, and all local copies of the user accounts are removed.

Additional resources

5.2. Migrating from synchronization to trust by using ipa-winsync-migrate

Prerequisites

Procedure

  1. Back up your IdM setup using the ipa-backup utility. See Backing up and restoring IdM.

    NOTE
    The migration affects a significant part of the IdM configuration and many user accounts. Creating a backup enables you to restore your original setup if necessary.
  2. Create a trust with the synchronized domain. See For details, see Installing trust between IdM and AD.

  3. Run ipa-winsync-migrate and specify the AD realm and the host name of the AD domain controller: 

    # ipa-winsync-migrate --realm example.com --server ad.example.com

    If a conflict occurs in the overrides created by ipa-winsync-migrate, information about the conflict is displayed, but the migration continues.

  4. Uninstall the Password Sync service from the AD server. This removes the synchronization agreement from the AD domain controllers.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.