[Freeipa-users] Fwd: Scorched earth

Dmitri Pal dpal at redhat.com
Thu Aug 29 00:30:34 UTC 2013 

On 08/28/2013 10:16 AM, Bret Wortman wrote:
> Ugh. Well that certainly hurts, but I just don't see an alternative. I
> hope Puppet can at least make the re-enrollment a bit easier.
>
> I'm still hand-copying some of the configuration and user group
> details and crafting the load scripts so if anyone has a bright idea
> in the next few hours, I'd love to hear it!
>
>
> _
> _
> *Bret Wortman*
>
> http://damascusgrp.com/
> http://about.me/wortmanbret
>
>
> On Wed, Aug 28, 2013 at 9:56 AM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     Bret Wortman wrote:
>
>         Today, I'm going to wipe my master, install f18 from scratch, then
>         install the freeipa-server RPMs again and manually load all
>         our hosts,
>         dns entries, and users from scratch (I'm building scripts to
>         do this for
>         me using the command line tools). We'll then do the same for each
>         replica so that our system will basically be starting clean again.
>
>         Are there any files that I really ought to back up and restore
>         as part
>         of this effort, like certificates, that might make it easier
>         for clients
>         to deal with us after the master comes back on line? Or am I
>         safe to
>         just nuke the box and start clean?
>
>
>     You'll end up with a new CA so you'll need to re-enroll any client
>     machines. Browsers will see the most grief as there will be a
>     different CA with the same subject.
>
>     Depending on how you are migrating your users they will all likely
>     need to reset their passwords, or go through the migration step.
>

And migration step means you carry forward user data as if you migrated
from an LDAP server. In this case you can complete migration using
either a migration web page or just using SSSD. If the migration is
enabled and you migrated LDAP password attributes from the older IPA
then SSSD and/or migration  page would be able to capture user password
and create kerberos hashes completing the migration. This at least would
not require people to change the passwords.

>
>     rob
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130828/cf263e3c/attachment.htm>

More information about the Freeipa-users mailing list