[Freeipa-users] FreeIPA - Help ...

Loris Santamaria loris at lgs.com.ve
Fri May 24 17:32:10 UTC 2013


That tool would be great!

For now if you are in a hurry you could dump your current domain to with
db2ldif, change suffixes, domain name, realm name on the ldif file the
load what you need on the new domain with ldapadd. Some extra advice:

 - AFAIK you can't migrate kerberos keys, so just keep the
krbPrincipalName of the users/services/hosts, and ignore the rest of the
krb* attributes. Change the realm name in the krbPrincipalname
attributes

 - certs are a grey area, the old ones will still be valid, you should
consider if you will need them or not

 - Don't mess with the cn=kerberos and cn=etc containers in the new
domain 

 - You should join manually the hosts to the new domain and issue new
services keytabs. This is the most tedious and error prone part.

 

El vie, 24-05-2013 a las 10:52 -0400, Ainsworth, Thomas escribió:
> Fellows,
> 
> That capability would be awesome!  Just what I need...
> 
> Let me know if it is possible and what kind of time frame you expect
> it to happen...
> 
> Thanks,
> 
> Tom 
> 
> On Fri, May 24, 2013 at 10:18 AM, Martin Kosek <mkosek at redhat.com>
> wrote:
>         On 05/24/2013 03:34 PM, Simo Sorce wrote:
>         > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>         >> Greetings,
>         >>
>         >> I was told to bring my issue to this distribution.
>         >>
>         >> Six months or so ago I was tasked with setting up a
>         Kerberos/LDAP
>         >> Authentication server.  After a
>         >> month of headaches I finally got it to work - Then I
>         relaized it would
>         >> be a monster to maintain.  Then a
>         >> peer asked me to have a look at FreeIPA. Wow.  Installed it
>         - was
>         >> amazed.  Runs great.  We love it.
>         >>
>         >> ...A few days ago, I was notified I have to change my
>         domain/REALM in
>         >> FreeIPA.  I read the manual,
>         >> google searches ... crickets.  I hear crickets.  I started
>         spitting
>         >> blood in the trash can.
>         >>
>         >> I joined a forum and asked for any information, and I was
>         pointed
>         >> here....so...here goes...
>         >>
>         >>
>         >> My Current Configuration
>         >>
>         >> - We have two (2) servers.  Both are installed with
>         >> ipa-server-3.0.0-26.el6_4.2.x86_64.
>         >>   One is a replica server.
>         >>
>         >> Domain:  my.network.domain
>         >> Realm:    MY.NETWORK.DOMAIN
>         >>
>         >>
>         >> New Proposed Configuration
>         >>
>         >> Domain: my.local.network.domain
>         >> Realm: MY.LOCAL.NETWORK.DOMAIN
>         >>
>         >>
>         >>
>         >> Sounds easy - but the paradox is ... the beauty of FreeIPA
>         is that it
>         >> does everything under the hood for you,
>         >> and the horror is that it does everything under the hood
>         for you!
>         >> There seem to be so many tentacles with
>         >> KERBEROS that I am afraid of jacking something up.
>         >>
>         >> Now, I have written a script that uses ipa to create all of
>         my users -
>         >> except the passwords.  So, what I was thinking
>         >> is to shut down the replica server, re-kick it, re-install
>         FreeIPA
>         >> with the new domain/REALM and then run my deploy
>         >> users script.  It would be my new master.  But then I would
>         have to
>         >> have "each" user log in and change their password.
>         >> Then take the second server and make it the replica.
>         >>
>         >> Question #1:  Is this a stupid idea....  Is there a way
>         (documented or
>         >> not) that I can simply change my domain/REALM?
>         >>                     Am I making this too hard?
>         >>
>         >> Question #2: Is there a way to backup the users passwords
>         and then
>         >> after I re-kick, install ipa and create my users ... I
>         >>                    can simply "import" this information
>         into the new
>         >> ipa instance.
>         >>
>         >> Any and all suggestions are greatly appreciated...
>         >
>         > I would look at the migration pages. You can probably use
>         migration mode
>         > to migrate user data from one FreeIPa install to the other
>         and then the
>         > migration mode of sssd to validate and recompute the
>         kerberos keys.
>         >
>         >
>         > See this for some guidance:
>         >
>         https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
>         >
>         > Simo.
>         >
>         
>         
>         Simo, on a side note - I am thinking, would it make sense to
>         create a new
>         command "ipa migrate-ipa" which would migrate data from other
>         IPA installation?
>         I.e. it would migrate users, groups, hosts, sudo, hbac,
>         automount, etc?
>         
>         I came across several user cases where creating a replica was
>         not an option and
>         migration like this would have been beneficial.
>         
>         Martin
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6173 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130524/4a8fc23d/attachment.bin>


More information about the Freeipa-users mailing list