[Freeipa-users] How to backup / restore the FreeIPA server?

Dmitri Pal dpal at redhat.com
Mon Dec 24 14:35:13 UTC 2012 

On 12/24/2012 08:11 AM, Viktor Mendes wrote:
> Hi guys,
>
> We are going  to use the FreeIPA v2.2.0 (the latest one available on CentOS 6.3) and would like to know if there is a way to do a complete backup / restore of the server database for disaster recovery purposes?
>  

Please see the thread about Backup and Restore earlier this month.
https://www.redhat.com/archives/freeipa-users/2012-December/msg00118.html

>  
> I have been able to successfully export the userRoot db ldif via db2ldif, make some changes, then import the ldif via ldif2db.
>
> However when I try to build a new server with the same hostname, then import the ldif, that does not work.
>
> The import is successfull, however when trying to log in to IPA web GUI, I get an error that the admin password has expired. Here is an output when tring to change the password (I have restarted krb5kdc service at this point, as it was coming up with a different error):
>
> KRB5_TRACE=/dev/stdout kinit admin
> [10814] 1356353589.809893: Getting initial credentials for admin at CO.YB.LMAX
> [10814] 1356353589.871805: Sending request (176 bytes) to CO.YB.LMAX
> [10814] 1356353589.879177: Sending initial UDP request to dgram 10.81.10.234:88
> [10814] 1356353589.888809: Received answer from dgram 10.81.10.234:88
> [10814] 1356353589.888893: Response was not from master KDC
> [10814] 1356353589.888941: Received error from KDC: -1765328361/Password has expired
> [10814] 1356353589.888969: Retrying AS request with master KDC
> [10814] 1356353589.888976: Getting initial credentials for admin at CO.YB.LMAX
> [10814] 1356353589.889033: Sending request (176 bytes) to CO.YB.LMAX (master)
> [10814] 1356353589.889087: Principal expired; getting changepw ticket
> [10814] 1356353589.889111: Getting initial credentials for admin at CO.YB.LMAX
> [10814] 1356353589.889148: Setting initial creds service to 
> [10814] 1356353589.889208: Sending request (174 bytes) to CO.YB.LMAX
> [10814] 1356353589.889516: Sending initial UDP request to dgram 10.81.10.234:88
> [10814] 1356353589.901098: Received answer from dgram 10.81.10.234:88
> [10814] 1356353589.901326: Response was not from master KDC
> [10814] 1356353589.901340: Received error from KDC: -1765328359/Additional pre-authentication required
> [10814] 1356353589.901596: Processing preauth types: 2, 136, 19, 133
> [10814] 1356353589.901818: Selected etype info: etype aes256-cts, salt "^X"Ed"/E2,L]'Zs)", params ""
> [10814] 1356353589.901825: Received cookie: MIT
> Password for admin at CO.YB.LMAX: 
> [10814] 1356353596.402451: AS key obtained for encrypted timestamp: aes256-cts/78C9
> [10814] 1356353596.402608: Encrypted timestamp (for 1356353596.402519): plain 301AA011180F32303132313232343132353331365AA1050203062457, encrypted 491EF490A7BFF756A7681BE9271E7925CCA41CC95916282FEFC3375FFBDC0B2A2E18B8501E81E1E14310762BC15351FE549633ABAB0CAB53
> [10814] 1356353596.402627: Produced preauth for next request: 133, 2
> [10814] 1356353596.402648: Sending request (269 bytes) to CO.YB.LMAX
> [10814] 1356353596.404303: Sending initial UDP request to dgram 10.81.10.234:88
> [10814] 1356353596.447924: Received answer from dgram 10.81.10.234:88
> [10814] 1356353596.448011: Response was not from master KDC
> [10814] 1356353596.448077: Processing preauth types: 19
> [10814] 1356353596.448094: Selected etype info: etype aes256-cts, salt "^X"Ed"/E2,L]'Zs)", params ""
> [10814] 1356353596.448105: Produced preauth for next request: (empty)
> [10814] 1356353596.448116: AS key determined by preauth: aes256-cts/78C9
> [10814] 1356353596.448295: Decrypted AS reply; session key is: aes256-cts/A68E
> [10814] 1356353596.448376: FAST negotiation: available
> [10814] 1356353596.448483: Attempting password change; 3 tries remaining
> Password expired.  You must change it now.
> Enter new password: 
> Enter it again: 
> [10814] 1356353604.147282: Creating authenticator for admin at CO.YB.LMAX -> kadmin/changepw at CO.YB.LMAX, seqnum 0, subkey aes256-cts/E782, session key aes256-cts/A68E
> [10814] 1356353604.148689: Sending initial UDP request to dgram 10.81.10.234:464
> [10814] 1356353604.154628: Received answer from dgram 10.81.10.234:464
> kinit: Password change failed while getting initial credentials
>
>
> Thanks in advance for your help
>
>
> Viktor Mendes 
>
>
>
> Systems Administrator 
>
>
>
> viktor.mendes at lmax.com | http://www.LMAX.com 
>
>
>
> LMAX, Yellow Building, 1a Nicholas Road, London. W11 4AN 
>
>
>
>
> FX and CFDs are leveraged products that can result in losses exceeding
> your deposit.  They are not suitable for everyone so please ensure you
> fully understand the risks involved.  The information in this email is not
> directed at residents of the United States of America or any other
> jurisdiction where trading in CFDs and/or FX is restricted or prohibited
> by local laws or regulations.
>
> The information in this email and any attachment is confidential and is
> intended only for the named recipient(s). The email may not be disclosed
> or used by any person other than the addressee, nor may it be copied in
> any way. If you are not the intended recipient please notify the sender
> immediately and delete any copies of this message. Any unauthorised
> copying, disclosure or distribution of the material in this e-mail is
> strictly forbidden.
>
> LMAX operates a multilateral trading facility.  Authorised and regulated 
> by the Financial Services Authority (firm registration number 509778) and
> is registered in England and Wales (number 06505809). 
> Our registered address is Yellow Building, 1A Nicholas Road, London, W11
> 4AN.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list