[Freeipa-users] FreeIPA - Help ...

Simo Sorce simo at redhat.com
Fri May 24 13:34:46 UTC 2013 

On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
> Greetings,
> 
> I was told to bring my issue to this distribution.
> 
> Six months or so ago I was tasked with setting up a Kerberos/LDAP
> Authentication server.  After a 
> month of headaches I finally got it to work - Then I relaized it would
> be a monster to maintain.  Then a 
> peer asked me to have a look at FreeIPA. Wow.  Installed it - was
> amazed.  Runs great.  We love it.
> 
> ...A few days ago, I was notified I have to change my domain/REALM in
> FreeIPA.  I read the manual,
> google searches ... crickets.  I hear crickets.  I started spitting
> blood in the trash can.
> 
> I joined a forum and asked for any information, and I was pointed
> here....so...here goes...
> 
> 
> My Current Configuration
> 
> - We have two (2) servers.  Both are installed with
> ipa-server-3.0.0-26.el6_4.2.x86_64.
>   One is a replica server.
> 
> Domain:  my.network.domain
> Realm:    MY.NETWORK.DOMAIN
> 
> 
> New Proposed Configuration
> 
> Domain: my.local.network.domain
> Realm: MY.LOCAL.NETWORK.DOMAIN
> 
> 
> 
> Sounds easy - but the paradox is ... the beauty of FreeIPA is that it
> does everything under the hood for you,
> and the horror is that it does everything under the hood for you!
> There seem to be so many tentacles with 
> KERBEROS that I am afraid of jacking something up.  
> 
> Now, I have written a script that uses ipa to create all of my users -
> except the passwords.  So, what I was thinking 
> is to shut down the replica server, re-kick it, re-install FreeIPA
> with the new domain/REALM and then run my deploy 
> users script.  It would be my new master.  But then I would have to
> have "each" user log in and change their password.  
> Then take the second server and make it the replica.
> 
> Question #1:  Is this a stupid idea....  Is there a way (documented or
> not) that I can simply change my domain/REALM?  
>                     Am I making this too hard?
> 
> Question #2: Is there a way to backup the users passwords and then
> after I re-kick, install ipa and create my users ... I 
>                    can simply "import" this information into the new
> ipa instance.
> 
> Any and all suggestions are greatly appreciated...

I would look at the migration pages. You can probably use migration mode
to migrate user data from one FreeIPa install to the other and then the
migration mode of sssd to validate and recompute the kerberos keys.


See this for some guidance:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list