<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/24/2013 01:32 PM, Loris Santamaria wrote:
<blockquote cite="mid:1369416730.6420.25.camel@toron.pzo.lgs.com.ve"
type="cite">
<pre wrap="">That tool would be great!
For now if you are in a hurry you could dump your current domain to with
db2ldif, change suffixes, domain name, realm name on the ldif file the
load what you need on the new domain with ldapadd. Some extra advice:
- AFAIK you can't migrate kerberos keys, so just keep the
krbPrincipalName of the users/services/hosts, and ignore the rest of the
krb* attributes. Change the realm name in the krbPrincipalname
attributes
- certs are a grey area, the old ones will still be valid, you should
consider if you will need them or not
- Don't mess with the cn=kerberos and cn=etc containers in the new
domain
- You should join manually the hosts to the new domain and issue new
services keytabs. This is the most tedious and error prone part.</pre>
</blockquote>
<br>
Yes but this is where presumably OpenLMI + realmd should come to the
rescue.<br>
You should be able to remotely script the whole procedure and run
one script to connect to a bunch of machines make them leave the
domain they are in and then join a new domain. Should be a not more
than dozen lines of script code.<br>
This would be possible with the latest Fedora 19 bits just FYI.<br>
<br>
Once these projects become available we should probably create a
procedure and a script.<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3657">https://fedorahosted.org/freeipa/ticket/3657</a><br>
<br>
<blockquote cite="mid:1369416730.6420.25.camel@toron.pzo.lgs.com.ve"
type="cite">
<pre wrap="">
El vie, 24-05-2013 a las 10:52 -0400, Ainsworth, Thomas escribió:
</pre>
<blockquote type="cite">
<pre wrap="">Fellows,
That capability would be awesome! Just what I need...
Let me know if it is possible and what kind of time frame you expect
it to happen...
Thanks,
Tom
On Fri, May 24, 2013 at 10:18 AM, Martin Kosek <a class="moz-txt-link-rfc2396E" href="mailto:mkosek@redhat.com"><mkosek@redhat.com></a>
wrote:
On 05/24/2013 03:34 PM, Simo Sorce wrote:
> On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>> Greetings,
>>
>> I was told to bring my issue to this distribution.
>>
>> Six months or so ago I was tasked with setting up a
Kerberos/LDAP
>> Authentication server. After a
>> month of headaches I finally got it to work - Then I
relaized it would
>> be a monster to maintain. Then a
>> peer asked me to have a look at FreeIPA. Wow. Installed it
- was
>> amazed. Runs great. We love it.
>>
>> ...A few days ago, I was notified I have to change my
domain/REALM in
>> FreeIPA. I read the manual,
>> google searches ... crickets. I hear crickets. I started
spitting
>> blood in the trash can.
>>
>> I joined a forum and asked for any information, and I was
pointed
>> here....so...here goes...
>>
>>
>> My Current Configuration
>>
>> - We have two (2) servers. Both are installed with
>> ipa-server-3.0.0-26.el6_4.2.x86_64.
>> One is a replica server.
>>
>> Domain: my.network.domain
>> Realm: MY.NETWORK.DOMAIN
>>
>>
>> New Proposed Configuration
>>
>> Domain: my.local.network.domain
>> Realm: MY.LOCAL.NETWORK.DOMAIN
>>
>>
>>
>> Sounds easy - but the paradox is ... the beauty of FreeIPA
is that it
>> does everything under the hood for you,
>> and the horror is that it does everything under the hood
for you!
>> There seem to be so many tentacles with
>> KERBEROS that I am afraid of jacking something up.
>>
>> Now, I have written a script that uses ipa to create all of
my users -
>> except the passwords. So, what I was thinking
>> is to shut down the replica server, re-kick it, re-install
FreeIPA
>> with the new domain/REALM and then run my deploy
>> users script. It would be my new master. But then I would
have to
>> have "each" user log in and change their password.
>> Then take the second server and make it the replica.
>>
>> Question #1: Is this a stupid idea.... Is there a way
(documented or
>> not) that I can simply change my domain/REALM?
>> Am I making this too hard?
>>
>> Question #2: Is there a way to backup the users passwords
and then
>> after I re-kick, install ipa and create my users ... I
>> can simply "import" this information
into the new
>> ipa instance.
>>
>> Any and all suggestions are greatly appreciated...
>
> I would look at the migration pages. You can probably use
migration mode
> to migrate user data from one FreeIPa install to the other
and then the
> migration mode of sssd to validate and recompute the
kerberos keys.
>
>
> See this for some guidance:
>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html</a>
>
> Simo.
>
Simo, on a side note - I am thinking, would it make sense to
create a new
command "ipa migrate-ipa" which would migrate data from other
IPA installation?
I.e. it would migrate users, groups, hosts, sudo, hbac,
automount, etc?
I came across several user cases where creating a replica was
not an option and
migration like this would have been beneficial.
Martin
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>