[Freeipa-users] export users/groups from one ipa server to another
Petr Spacek
pspacek at redhat.com
Mon Jan 20 11:27:17 UTC 2014
On 20.1.2014 09:21, Martin Kosek wrote:
> On 01/17/2014 11:06 PM, Dmitri Pal wrote:
>> On 01/17/2014 03:59 PM, Rob Crittenden wrote:
>>> Les Stott wrote:
>>>>> The first time your migrated production users authenticate with their
>>>>> password their Kerberos credentials will be generated.
>>>>
>>>> Is there a way to avoid this?
>>>>
>>>> I had to do that for importing shadow files originally in DR. now,
>>>> i'm going from freeipa to freeipa. if i export kerberos attributes
>>>> will that avoid users having to regenerate the kerberos credentials?
>>>
>>> No. The kerberos master keys are different.
>>
>> Unless you want to copy master keys over.
>> This is a complex manual procedure. You can probably find it in the
>> archives as we helped people with it couple times but it is not recommended.
>>
>> May be we should open an RFE to develop a tool that would do
>> ipa-migrate-ipa and can be used to move data from POC to production.
>
> We have a RFE open for that feature already:
>
> https://fedorahosted.org/freeipa/ticket/3656
>
> I added a reference to this discussion on the list. Contributions or other
> ideas are very welcome!
It sounds like creating a new replica and then disconnecting the new replica
from the old replica.
This procedure will copy all keys etc., so be sure you understand security
implications for your environment! (Who can get root access to old
environment? Who can get root access to the new environment? What will you do
if one of them was compromised...?)
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list