[Freeipa-users] How to backup / restore the FreeIPA server?

Viktor Mendes viktor.mendes at lmax.com
Mon Dec 24 13:11:20 UTC 2012 

Hi guys,

We are going  to use the FreeIPA v2.2.0 (the latest one available on CentOS 6.3) and would like to know if there is a way to do a complete backup / restore of the server database for disaster recovery purposes?
 
 
I have been able to successfully export the userRoot db ldif via db2ldif, make some changes, then import the ldif via ldif2db.

However when I try to build a new server with the same hostname, then import the ldif, that does not work.

The import is successfull, however when trying to log in to IPA web GUI, I get an error that the admin password has expired. Here is an output when tring to change the password (I have restarted krb5kdc service at this point, as it was coming up with a different error):

KRB5_TRACE=/dev/stdout kinit admin
[10814] 1356353589.809893: Getting initial credentials for admin at CO.YB.LMAX
[10814] 1356353589.871805: Sending request (176 bytes) to CO.YB.LMAX
[10814] 1356353589.879177: Sending initial UDP request to dgram 10.81.10.234:88
[10814] 1356353589.888809: Received answer from dgram 10.81.10.234:88
[10814] 1356353589.888893: Response was not from master KDC
[10814] 1356353589.888941: Received error from KDC: -1765328361/Password has expired
[10814] 1356353589.888969: Retrying AS request with master KDC
[10814] 1356353589.888976: Getting initial credentials for admin at CO.YB.LMAX
[10814] 1356353589.889033: Sending request (176 bytes) to CO.YB.LMAX (master)
[10814] 1356353589.889087: Principal expired; getting changepw ticket
[10814] 1356353589.889111: Getting initial credentials for admin at CO.YB.LMAX
[10814] 1356353589.889148: Setting initial creds service to 
[10814] 1356353589.889208: Sending request (174 bytes) to CO.YB.LMAX
[10814] 1356353589.889516: Sending initial UDP request to dgram 10.81.10.234:88
[10814] 1356353589.901098: Received answer from dgram 10.81.10.234:88
[10814] 1356353589.901326: Response was not from master KDC
[10814] 1356353589.901340: Received error from KDC: -1765328359/Additional pre-authentication required
[10814] 1356353589.901596: Processing preauth types: 2, 136, 19, 133
[10814] 1356353589.901818: Selected etype info: etype aes256-cts, salt "^X"Ed"/E2,L]'Zs)", params ""
[10814] 1356353589.901825: Received cookie: MIT
Password for admin at CO.YB.LMAX: 
[10814] 1356353596.402451: AS key obtained for encrypted timestamp: aes256-cts/78C9
[10814] 1356353596.402608: Encrypted timestamp (for 1356353596.402519): plain 301AA011180F32303132313232343132353331365AA1050203062457, encrypted 491EF490A7BFF756A7681BE9271E7925CCA41CC95916282FEFC3375FFBDC0B2A2E18B8501E81E1E14310762BC15351FE549633ABAB0CAB53
[10814] 1356353596.402627: Produced preauth for next request: 133, 2
[10814] 1356353596.402648: Sending request (269 bytes) to CO.YB.LMAX
[10814] 1356353596.404303: Sending initial UDP request to dgram 10.81.10.234:88
[10814] 1356353596.447924: Received answer from dgram 10.81.10.234:88
[10814] 1356353596.448011: Response was not from master KDC
[10814] 1356353596.448077: Processing preauth types: 19
[10814] 1356353596.448094: Selected etype info: etype aes256-cts, salt "^X"Ed"/E2,L]'Zs)", params ""
[10814] 1356353596.448105: Produced preauth for next request: (empty)
[10814] 1356353596.448116: AS key determined by preauth: aes256-cts/78C9
[10814] 1356353596.448295: Decrypted AS reply; session key is: aes256-cts/A68E
[10814] 1356353596.448376: FAST negotiation: available
[10814] 1356353596.448483: Attempting password change; 3 tries remaining
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
[10814] 1356353604.147282: Creating authenticator for admin at CO.YB.LMAX -> kadmin/changepw at CO.YB.LMAX, seqnum 0, subkey aes256-cts/E782, session key aes256-cts/A68E
[10814] 1356353604.148689: Sending initial UDP request to dgram 10.81.10.234:464
[10814] 1356353604.154628: Received answer from dgram 10.81.10.234:464
kinit: Password change failed while getting initial credentials


Thanks in advance for your help


Viktor Mendes 



Systems Administrator 



viktor.mendes at lmax.com | http://www.LMAX.com 



LMAX, Yellow Building, 1a Nicholas Road, London. W11 4AN 




FX and CFDs are leveraged products that can result in losses exceeding
your deposit.  They are not suitable for everyone so please ensure you
fully understand the risks involved.  The information in this email is not
directed at residents of the United States of America or any other
jurisdiction where trading in CFDs and/or FX is restricted or prohibited
by local laws or regulations.

The information in this email and any attachment is confidential and is
intended only for the named recipient(s). The email may not be disclosed
or used by any person other than the addressee, nor may it be copied in
any way. If you are not the intended recipient please notify the sender
immediately and delete any copies of this message. Any unauthorised
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.

LMAX operates a multilateral trading facility.  Authorised and regulated 
by the Financial Services Authority (firm registration number 509778) and
is registered in England and Wales (number 06505809). 
Our registered address is Yellow Building, 1A Nicholas Road, London, W11
4AN.

More information about the Freeipa-users mailing list