[Freeipa-users] FreeIPA - Help ...
Martin Kosek
mkosek at redhat.com
Fri May 24 14:18:20 UTC 2013
On 05/24/2013 03:34 PM, Simo Sorce wrote:
> On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>> Greetings,
>>
>> I was told to bring my issue to this distribution.
>>
>> Six months or so ago I was tasked with setting up a Kerberos/LDAP
>> Authentication server. After a
>> month of headaches I finally got it to work - Then I relaized it would
>> be a monster to maintain. Then a
>> peer asked me to have a look at FreeIPA. Wow. Installed it - was
>> amazed. Runs great. We love it.
>>
>> ...A few days ago, I was notified I have to change my domain/REALM in
>> FreeIPA. I read the manual,
>> google searches ... crickets. I hear crickets. I started spitting
>> blood in the trash can.
>>
>> I joined a forum and asked for any information, and I was pointed
>> here....so...here goes...
>>
>>
>> My Current Configuration
>>
>> - We have two (2) servers. Both are installed with
>> ipa-server-3.0.0-26.el6_4.2.x86_64.
>> One is a replica server.
>>
>> Domain: my.network.domain
>> Realm: MY.NETWORK.DOMAIN
>>
>>
>> New Proposed Configuration
>>
>> Domain: my.local.network.domain
>> Realm: MY.LOCAL.NETWORK.DOMAIN
>>
>>
>>
>> Sounds easy - but the paradox is ... the beauty of FreeIPA is that it
>> does everything under the hood for you,
>> and the horror is that it does everything under the hood for you!
>> There seem to be so many tentacles with
>> KERBEROS that I am afraid of jacking something up.
>>
>> Now, I have written a script that uses ipa to create all of my users -
>> except the passwords. So, what I was thinking
>> is to shut down the replica server, re-kick it, re-install FreeIPA
>> with the new domain/REALM and then run my deploy
>> users script. It would be my new master. But then I would have to
>> have "each" user log in and change their password.
>> Then take the second server and make it the replica.
>>
>> Question #1: Is this a stupid idea.... Is there a way (documented or
>> not) that I can simply change my domain/REALM?
>> Am I making this too hard?
>>
>> Question #2: Is there a way to backup the users passwords and then
>> after I re-kick, install ipa and create my users ... I
>> can simply "import" this information into the new
>> ipa instance.
>>
>> Any and all suggestions are greatly appreciated...
>
> I would look at the migration pages. You can probably use migration mode
> to migrate user data from one FreeIPa install to the other and then the
> migration mode of sssd to validate and recompute the kerberos keys.
>
>
> See this for some guidance:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
>
> Simo.
>
Simo, on a side note - I am thinking, would it make sense to create a new
command "ipa migrate-ipa" which would migrate data from other IPA installation?
I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?
I came across several user cases where creating a replica was not an option and
migration like this would have been beneficial.
Martin
More information about the Freeipa-users
mailing list