Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 5. Migrating from synchronization to trust automatically by using ipa-winsync-migrate
In RHEL 8, the synchronization approach to integrating RHEL systems into Active Directory (AD) indirectly is deprecated. Red Hat recommends migrating to the approach based on a trust between Identity Management (IdM) and AD instead. This chapter describes how to migrate from synchronization to trust automatically, by using the ipa-winsync-migrate
utility.
5.1. Automatic migration from synchronization to trust by using ipa-winsync-migrate
The ipa-winsync-migrate
utility migrates all synchronized users from an AD forest, while preserving the existing configuration in the Winsync environment and transferring it into the AD trust. For each AD user created by the Winsync agreement, ipa-winsync-migrate
creates an ID override in the Default Trust View.
After the migration completes:
The ID overrides for the AD users have the following attributes copied from the original entry in Winsync:
-
Login name (
uid
) -
UID number (
uidnumber
) -
GID number (
gidnumber
) -
Home directory (
homedirectory
) -
GECOS entry (
gecos
)
-
Login name (
The user accounts in the AD trust keep their original configuration in IdM, which includes:
- POSIX attributes
- User groups
- Role-based access control rules
- Host-based access control rules
- SELinux membership
-
sudo
rules
- The new AD users are added as members of an external IdM group.
- The original Winsync replication agreement, the original synchronized user accounts, and all local copies of the user accounts are removed.
Additional resources
5.2. Migrating from synchronization to trust by using ipa-winsync-migrate
Prerequisites
- On RHEL 7, you configured synchronisation between RHEL Identity Management (IdM) and AD.
Procedure
Back up your IdM setup using the
ipa-backup
utility. See Backing up and restoring IdM.- NOTE
- The migration affects a significant part of the IdM configuration and many user accounts. Creating a backup enables you to restore your original setup if necessary.
- Create a trust with the synchronized domain. See For details, see Installing trust between IdM and AD.
Run
ipa-winsync-migrate
and specify the AD realm and the host name of the AD domain controller:# ipa-winsync-migrate --realm example.com --server ad.example.com
If a conflict occurs in the overrides created by
ipa-winsync-migrate
, information about the conflict is displayed, but the migration continues.- Uninstall the Password Sync service from the AD server. This removes the synchronization agreement from the AD domain controllers.
Additional resources
- ipa-winsync-migrate(1)
- Backing up and restoring IdM servers using Ansible playbooks