[Freeipa-users] FreeIPA - Help ...
Rob Crittenden
rcritten at redhat.com
Fri May 24 15:06:53 UTC 2013
Sigbjorn Lie wrote:
> Me too. +1 for ipa to ipa migration.
I filed a ticket to track this, https://fedorahosted.org/freeipa/ticket/3656
rob
>
> Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 05/24/2013 03:34 PM, Simo Sorce wrote:
>>> On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>>>> Greetings,
>>>>
>>>> I was told to bring my issue to this distribution.
>>>>
>>>> Six months or so ago I was tasked with setting up a Kerberos/LDAP
>>>> Authentication server. After a
>>>> month of headaches I finally got it to work - Then I relaized it
>> would
>>>> be a monster to maintain. Then a
>>>> peer asked me to have a look at FreeIPA. Wow. Installed it - was
>>>> amazed. Runs great. We love it.
>>>>
>>>> ...A few days ago, I was notified I have to change my domain/REALM
>> in
>>>> FreeIPA. I read the manual,
>>>> google searches ... crickets. I hear crickets. I started spitting
>>>> blood in the trash can.
>>>>
>>>> I joined a forum and asked for any information, and I was pointed
>>>> here....so...here goes...
>>>>
>>>>
>>>> My Current Configuration
>>>>
>>>> - We have two (2) servers. Both are installed with
>>>> ipa-server-3.0.0-26.el6_4.2.x86_64.
>>>> One is a replica server.
>>>>
>>>> Domain: my.network.domain
>>>> Realm: MY.NETWORK.DOMAIN
>>>>
>>>>
>>>> New Proposed Configuration
>>>>
>>>> Domain: my.local.network.domain
>>>> Realm: MY.LOCAL.NETWORK.DOMAIN
>>>>
>>>>
>>>>
>>>> Sounds easy - but the paradox is ... the beauty of FreeIPA is that
>> it
>>>> does everything under the hood for you,
>>>> and the horror is that it does everything under the hood for you!
>>>> There seem to be so many tentacles with
>>>> KERBEROS that I am afraid of jacking something up.
>>>>
>>>> Now, I have written a script that uses ipa to create all of my users
>> -
>>>> except the passwords. So, what I was thinking
>>>> is to shut down the replica server, re-kick it, re-install FreeIPA
>>>> with the new domain/REALM and then run my deploy
>>>> users script. It would be my new master. But then I would have to
>>>> have "each" user log in and change their password.
>>>> Then take the second server and make it the replica.
>>>>
>>>> Question #1: Is this a stupid idea.... Is there a way (documented
>> or
>>>> not) that I can simply change my domain/REALM?
>>>> Am I making this too hard?
>>>>
>>>> Question #2: Is there a way to backup the users passwords and then
>>>> after I re-kick, install ipa and create my users ... I
>>>> can simply "import" this information into the new
>>>> ipa instance.
>>>>
>>>> Any and all suggestions are greatly appreciated...
>>>
>>> I would look at the migration pages. You can probably use migration
>> mode
>>> to migrate user data from one FreeIPa install to the other and then
>> the
>>> migration mode of sssd to validate and recompute the kerberos keys.
>>>
>>>
>>> See this for some guidance:
>>>
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
>>>
>>> Simo.
>>>
>>
>> Simo, on a side note - I am thinking, would it make sense to create a
>> new
>> command "ipa migrate-ipa" which would migrate data from other IPA
>> installation?
>> I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?
>>
>> I came across several user cases where creating a replica was not an
>> option and
>> migration like this would have been beneficial.
>>
>> Martin
>> u
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list