[Freeipa-users] export users/groups from one ipa server to another
Rob Crittenden
rcritten at redhat.com
Mon Jan 20 16:12:49 UTC 2014
Petr Spacek wrote:
> On 20.1.2014 12:27, Petr Spacek wrote:
>> On 20.1.2014 09:21, Martin Kosek wrote:
>>> On 01/17/2014 11:06 PM, Dmitri Pal wrote:
>>>> On 01/17/2014 03:59 PM, Rob Crittenden wrote:
>>>>> Les Stott wrote:
>>>>>>> The first time your migrated production users authenticate with
>>>>>>> their
>>>>>>> password their Kerberos credentials will be generated.
>>>>>>
>>>>>> Is there a way to avoid this?
>>>>>>
>>>>>> I had to do that for importing shadow files originally in DR. now,
>>>>>> i'm going from freeipa to freeipa. if i export kerberos attributes
>>>>>> will that avoid users having to regenerate the kerberos credentials?
>>>>>
>>>>> No. The kerberos master keys are different.
>>>>
>>>> Unless you want to copy master keys over.
>>>> This is a complex manual procedure. You can probably find it in the
>>>> archives as we helped people with it couple times but it is not
>>>> recommended.
>>>>
>>>> May be we should open an RFE to develop a tool that would do
>>>> ipa-migrate-ipa and can be used to move data from POC to production.
>>>
>>> We have a RFE open for that feature already:
>>>
>>> https://fedorahosted.org/freeipa/ticket/3656
>>>
>>> I added a reference to this discussion on the list. Contributions or
>>> other
>>> ideas are very welcome!
>>
>> It sounds like creating a new replica and then disconnecting the new
>> replica
>> from the old replica.
>>
>> This procedure will copy all keys etc., so be sure you understand
>> security
>> implications for your environment! (Who can get root access to old
>> environment? Who can get root access to the new environment? What will
>> you do
>> if one of them was compromised...?)
>
> I should clarify this:
>
> May be that we could provide a tool for FreeIPA domain rename, so you
> can create replica, disconnect the replica and then rename the FreeIPA
> domain to something else (renaming would include master-key regeneration
> etc.).
>
> This solves two problems at once:
> - FreeIPA-to-FreeIPA migration
> - FreeIPA domain renaming
>
There could be some weird side-effects. The certificate subject base is
not changable post-install so you could end up issuing certs with the
subject of the old realm.
rob
More information about the Freeipa-users
mailing list