User private groups should not be created for migrated posix users, their GID points to another group:
# echo "secret123" | ipa migrate-ds ldap://vm-054.idm.lab.bos.redhat.com --with-compat --base-dn="dc=greyoak,dc=com" ----------- migrate-ds: ----------- Migrated: user: darcee_leeson, ayaz_kreiger, mollee_weisenberg group: ipagroup Failed user: Failed group: ---------- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. # ipa user-show darcee_leeson User login: darcee_leeson First name: Darcee Last name: Leeson Home directory: /home/Darcee_Leeson Email address: Darcee_Leeson@greyoak.com UID: 11731 GID: 21731 <<<<<<<<< Telephone Number: +1 804 913-8558 Org. Unit: Product Testing Job Title: Supreme Product Testing Visionary Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: False # ipa group-show darcee_leeson Group name: darcee_leeson Description: User private group for darcee_leeson GID: 11731 <<<<<<<<<
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=809560
The patch references ticket https://fedorahosted.org/freeipa/ticket/2562
master: b55c98f
ipa-2-2: b98342a
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
Login to comment on this ticket.