[Freeipa-users] FreeIPA - Help ...

Martin Kosek mkosek at redhat.com
Fri May 24 14:18:20 UTC 2013 

On 05/24/2013 03:34 PM, Simo Sorce wrote:
> On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>> Greetings,
>>
>> I was told to bring my issue to this distribution.
>>
>> Six months or so ago I was tasked with setting up a Kerberos/LDAP
>> Authentication server.  After a 
>> month of headaches I finally got it to work - Then I relaized it would
>> be a monster to maintain.  Then a 
>> peer asked me to have a look at FreeIPA. Wow.  Installed it - was
>> amazed.  Runs great.  We love it.
>>
>> ...A few days ago, I was notified I have to change my domain/REALM in
>> FreeIPA.  I read the manual,
>> google searches ... crickets.  I hear crickets.  I started spitting
>> blood in the trash can.
>>
>> I joined a forum and asked for any information, and I was pointed
>> here....so...here goes...
>>
>>
>> My Current Configuration
>>
>> - We have two (2) servers.  Both are installed with
>> ipa-server-3.0.0-26.el6_4.2.x86_64.
>>   One is a replica server.
>>
>> Domain:  my.network.domain
>> Realm:    MY.NETWORK.DOMAIN
>>
>>
>> New Proposed Configuration
>>
>> Domain: my.local.network.domain
>> Realm: MY.LOCAL.NETWORK.DOMAIN
>>
>>
>>
>> Sounds easy - but the paradox is ... the beauty of FreeIPA is that it
>> does everything under the hood for you,
>> and the horror is that it does everything under the hood for you!
>> There seem to be so many tentacles with 
>> KERBEROS that I am afraid of jacking something up.  
>>
>> Now, I have written a script that uses ipa to create all of my users -
>> except the passwords.  So, what I was thinking 
>> is to shut down the replica server, re-kick it, re-install FreeIPA
>> with the new domain/REALM and then run my deploy 
>> users script.  It would be my new master.  But then I would have to
>> have "each" user log in and change their password.  
>> Then take the second server and make it the replica.
>>
>> Question #1:  Is this a stupid idea....  Is there a way (documented or
>> not) that I can simply change my domain/REALM?  
>>                     Am I making this too hard?
>>
>> Question #2: Is there a way to backup the users passwords and then
>> after I re-kick, install ipa and create my users ... I 
>>                    can simply "import" this information into the new
>> ipa instance.
>>
>> Any and all suggestions are greatly appreciated...
> 
> I would look at the migration pages. You can probably use migration mode
> to migrate user data from one FreeIPa install to the other and then the
> migration mode of sssd to validate and recompute the kerberos keys.
> 
> 
> See this for some guidance:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
> 
> Simo.
> 

Simo, on a side note - I am thinking, would it make sense to create a new
command "ipa migrate-ipa" which would migrate data from other IPA installation?
I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?

I came across several user cases where creating a replica was not an option and
migration like this would have been beneficial.

Martin

More information about the Freeipa-users mailing list