Fellows, That capability would be awesome! Just what I need... Let me know if it is possible and what kind of time frame you expect it to happen... Thanks, Tom <div class="gmail_quote"> On Fri, May 24, 2013 at 10:18 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="HOEnZb"><div class="h5">On 05/24/2013 03:34 PM, Simo Sorce wrote: > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote: >> Greetings, >> >> I was told to bring my issue to this distribution. >> >> Six months or so ago I was tasked with setting up a Kerberos/LDAP >> Authentication server. After a >> month of headaches I finally got it to work - Then I relaized it would >> be a monster to maintain. Then a >> peer asked me to have a look at FreeIPA. Wow. Installed it - was >> amazed. Runs great. We love it. >> >> ...A few days ago, I was notified I have to change my domain/REALM in >> FreeIPA. I read the manual, >> google searches ... crickets. I hear crickets. I started spitting >> blood in the trash can. >> >> I joined a forum and asked for any information, and I was pointed >> here....so...here goes... >> >> >> My Current Configuration >> >> - We have two (2) servers. Both are installed with >> ipa-server-3.0.0-26.el6_4.2.x86_64. >> One is a replica server. >> >> Domain: my.network.domain >> Realm: MY.NETWORK.DOMAIN >> >> >> New Proposed Configuration >> >> Domain: my.local.network.domain >> Realm: MY.LOCAL.NETWORK.DOMAIN >> >> >> >> Sounds easy - but the paradox is ... the beauty of FreeIPA is that it >> does everything under the hood for you, >> and the horror is that it does everything under the hood for you! >> There seem to be so many tentacles with >> KERBEROS that I am afraid of jacking something up. >> >> Now, I have written a script that uses ipa to create all of my users - >> except the passwords. So, what I was thinking >> is to shut down the replica server, re-kick it, re-install FreeIPA >> with the new domain/REALM and then run my deploy >> users script. It would be my new master. But then I would have to >> have "each" user log in and change their password. >> Then take the second server and make it the replica. >> >> Question #1: Is this a stupid idea.... Is there a way (documented or >> not) that I can simply change my domain/REALM? >> Am I making this too hard? >> >> Question #2: Is there a way to backup the users passwords and then >> after I re-kick, install ipa and create my users ... I >> can simply "import" this information into the new >> ipa instance. >> >> Any and all suggestions are greatly appreciated... > > I would look at the migration pages. You can probably use migration mode > to migrate user data from one FreeIPa install to the other and then the > migration mode of sssd to validate and recompute the kerberos keys. > > > See this for some guidance: > <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html</a> > > Simo. > </div></div>Simo, on a side note - I am thinking, would it make sense to create a new command "ipa migrate-ipa" which would migrate data from other IPA installation? I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc? I came across several user cases where creating a replica was not an option and migration like this would have been beneficial. Martin </blockquote></div>