[Freeipa-users] FreeIPA - Help ...

Sigbjorn Lie sigbjorn at nixtra.com
Fri May 24 14:55:59 UTC 2013 

Me too. +1 for ipa to ipa migration. 

Martin Kosek <mkosek at redhat.com> wrote:

>On 05/24/2013 03:34 PM, Simo Sorce wrote:
>> On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>>> Greetings,
>>>
>>> I was told to bring my issue to this distribution.
>>>
>>> Six months or so ago I was tasked with setting up a Kerberos/LDAP
>>> Authentication server.  After a 
>>> month of headaches I finally got it to work - Then I relaized it
>would
>>> be a monster to maintain.  Then a 
>>> peer asked me to have a look at FreeIPA. Wow.  Installed it - was
>>> amazed.  Runs great.  We love it.
>>>
>>> ...A few days ago, I was notified I have to change my domain/REALM
>in
>>> FreeIPA.  I read the manual,
>>> google searches ... crickets.  I hear crickets.  I started spitting
>>> blood in the trash can.
>>>
>>> I joined a forum and asked for any information, and I was pointed
>>> here....so...here goes...
>>>
>>>
>>> My Current Configuration
>>>
>>> - We have two (2) servers.  Both are installed with
>>> ipa-server-3.0.0-26.el6_4.2.x86_64.
>>>   One is a replica server.
>>>
>>> Domain:  my.network.domain
>>> Realm:    MY.NETWORK.DOMAIN
>>>
>>>
>>> New Proposed Configuration
>>>
>>> Domain: my.local.network.domain
>>> Realm: MY.LOCAL.NETWORK.DOMAIN
>>>
>>>
>>>
>>> Sounds easy - but the paradox is ... the beauty of FreeIPA is that
>it
>>> does everything under the hood for you,
>>> and the horror is that it does everything under the hood for you!
>>> There seem to be so many tentacles with 
>>> KERBEROS that I am afraid of jacking something up.  
>>>
>>> Now, I have written a script that uses ipa to create all of my users
>-
>>> except the passwords.  So, what I was thinking 
>>> is to shut down the replica server, re-kick it, re-install FreeIPA
>>> with the new domain/REALM and then run my deploy 
>>> users script.  It would be my new master.  But then I would have to
>>> have "each" user log in and change their password.  
>>> Then take the second server and make it the replica.
>>>
>>> Question #1:  Is this a stupid idea....  Is there a way (documented
>or
>>> not) that I can simply change my domain/REALM?  
>>>                     Am I making this too hard?
>>>
>>> Question #2: Is there a way to backup the users passwords and then
>>> after I re-kick, install ipa and create my users ... I 
>>>                    can simply "import" this information into the new
>>> ipa instance.
>>>
>>> Any and all suggestions are greatly appreciated...
>> 
>> I would look at the migration pages. You can probably use migration
>mode
>> to migrate user data from one FreeIPa install to the other and then
>the
>> migration mode of sssd to validate and recompute the kerberos keys.
>> 
>> 
>> See this for some guidance:
>>
>https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
>> 
>> Simo.
>> 
>
>Simo, on a side note - I am thinking, would it make sense to create a
>new
>command "ipa migrate-ipa" which would migrate data from other IPA
>installation?
>I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?
>
>I came across several user cases where creating a replica was not an
>option and
>migration like this would have been beneficial.
>
>Martin
>u
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

More information about the Freeipa-users mailing list