[Freeipa-users] FreeIPA - Help ...

Ainsworth, Thomas tainsworth at vsi-corp.com
Fri May 24 14:52:18 UTC 2013 

Fellows,

That capability would be awesome!  Just what I need...

Let me know if it is possible and what kind of time frame you expect it to
happen...

Thanks,

Tom

On Fri, May 24, 2013 at 10:18 AM, Martin Kosek <mkosek at redhat.com> wrote:

> On 05/24/2013 03:34 PM, Simo Sorce wrote:
> > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
> >> Greetings,
> >>
> >> I was told to bring my issue to this distribution.
> >>
> >> Six months or so ago I was tasked with setting up a Kerberos/LDAP
> >> Authentication server.  After a
> >> month of headaches I finally got it to work - Then I relaized it would
> >> be a monster to maintain.  Then a
> >> peer asked me to have a look at FreeIPA. Wow.  Installed it - was
> >> amazed.  Runs great.  We love it.
> >>
> >> ...A few days ago, I was notified I have to change my domain/REALM in
> >> FreeIPA.  I read the manual,
> >> google searches ... crickets.  I hear crickets.  I started spitting
> >> blood in the trash can.
> >>
> >> I joined a forum and asked for any information, and I was pointed
> >> here....so...here goes...
> >>
> >>
> >> My Current Configuration
> >>
> >> - We have two (2) servers.  Both are installed with
> >> ipa-server-3.0.0-26.el6_4.2.x86_64.
> >>   One is a replica server.
> >>
> >> Domain:  my.network.domain
> >> Realm:    MY.NETWORK.DOMAIN
> >>
> >>
> >> New Proposed Configuration
> >>
> >> Domain: my.local.network.domain
> >> Realm: MY.LOCAL.NETWORK.DOMAIN
> >>
> >>
> >>
> >> Sounds easy - but the paradox is ... the beauty of FreeIPA is that it
> >> does everything under the hood for you,
> >> and the horror is that it does everything under the hood for you!
> >> There seem to be so many tentacles with
> >> KERBEROS that I am afraid of jacking something up.
> >>
> >> Now, I have written a script that uses ipa to create all of my users -
> >> except the passwords.  So, what I was thinking
> >> is to shut down the replica server, re-kick it, re-install FreeIPA
> >> with the new domain/REALM and then run my deploy
> >> users script.  It would be my new master.  But then I would have to
> >> have "each" user log in and change their password.
> >> Then take the second server and make it the replica.
> >>
> >> Question #1:  Is this a stupid idea....  Is there a way (documented or
> >> not) that I can simply change my domain/REALM?
> >>                     Am I making this too hard?
> >>
> >> Question #2: Is there a way to backup the users passwords and then
> >> after I re-kick, install ipa and create my users ... I
> >>                    can simply "import" this information into the new
> >> ipa instance.
> >>
> >> Any and all suggestions are greatly appreciated...
> >
> > I would look at the migration pages. You can probably use migration mode
> > to migrate user data from one FreeIPa install to the other and then the
> > migration mode of sssd to validate and recompute the kerberos keys.
> >
> >
> > See this for some guidance:
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
> >
> > Simo.
> >
>
> Simo, on a side note - I am thinking, would it make sense to create a new
> command "ipa migrate-ipa" which would migrate data from other IPA
> installation?
> I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?
>
> I came across several user cases where creating a replica was not an
> option and
> migration like this would have been beneficial.
>
> Martin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130524/e2f0b5a4/attachment.htm>

More information about the Freeipa-users mailing list