[Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master

Sina Owolabi notify.sina at gmail.com
Tue Jun 2 15:53:53 UTC 2015 

Thanks Martin, Rob,

but I think I am totally lost.. I was able to migrate-ds but  I think
along the way I broke the replica. Errors I am seeing in the ipa
clients are like so:

Jun  2 16:33:11 ipaclient1 [sssd[ldap_child[27865]]]: Client
'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database
Jun  2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Failed to
initialize credentials using keytab [default]: Client
'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database.
Unable to create GSSAPI-encrypted LDAP connection.
Jun  2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Client
'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database
Jun  2 16:33:57 ipaclient1 certmonger: Server failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction.
Couldn't resolve host 'services01.mydom.com').
Jun  2 16:39:28 ipaclient1 certmonger: Server failed request, will
retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
Jun  2 16:44:59 ipaclient1 certmonger: Server failed request, will
retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
Jun  2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Failed to
initialize credentials using keytab [default]: Client
'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database.
Unable to create GSSAPI-encrypted LDAP connection.
Jun  2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Client
'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database
Jun  2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Failed to
initialize credentials using keytab [default]: Client
'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database.
Unable to create GSSAPI-encrypted LDAP connection.
Jun  2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Client
'host/ipaclient1.mydom.com at MYDOM.COM' not found in Kerberos database


 I've been editing and trying to import data from the ldif I was able
to export out of the CA-less replica. No luck so far.

On Tue, Jun 2, 2015 at 1:43 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Martin Kosek wrote:
>>
>> On 06/01/2015 02:19 AM, Sina Owolabi wrote:
>>>
>>> Hi!
>>>
>>> I am still stumbling along with this, I have had my IPA domain
>>> destroyed and currently only a CA-less replica is left running the
>>> network.
>>> The existing CA-less replica is on RHEL6.6 with ipa-3.0.0.
>>> I am trying to setup a fresh CA-master and I have exported the data in
>>> the replica into ldif and bak folders in
>>> /var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories.
>>> I have copied these files and folders to the fresh install, which is
>>> running RHEL7.1.
>>> If I can complete an install, I plan to destroy the existing replica
>>> and install from scratch 2 new ones just to be safe.
>>>
>>> Please can someone direct me in properly editing the ldif file or the
>>> bak archivedir to make it useful for the new CA master? I have already
>>> deleted the existing replication agreements between the CA-less
>>> replica and the lost CA master (the new fresh install is the same
>>> hostname).
>>> Importing data is successful, but then IPA refuses to run afterwords
>>> with different error messages.
>>>
>>> Thanks for any light shown my way.
>>>
>>
>> Let me reiterate to see if I understood your scenario correctly:
>>
>> - you had CA-powered FreeIPA infrastructure, with just one FreeIPA
>> server with CA service running
>> - the single FreeIPA+CA server was lost (I would suggest having more of
>> those in the future or using backup (snapshot or ipa-backup))
>> - you now want to install a brand new FreeIPA server and add data from
>> the old FreeIPA installation.
>>
>> This is quite tricky, you can just add data from old FreeIPA server to
>> the new server - the new FreeIPA server will have different Kerberos
>> master key, different CA key. All this and derived data would be
>> invalid. If you backed up the FreeIPA+CA master, I assume the PKI could
>> be recreated, but it does not seem as the case.
>>
>> In that case, I am afraid you would need to start a new infrastructure
>> and migrate old data, I put short description on how to migrate one
>> FreeIPA to other FreeIPA on the wiki:
>>
>>
>> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
>
>
> I guess it depends on what data you want/need to preserve from the original
> IPA installation and calculate which is more time consuming: crafting an
> LDIF to import or re-adding the data manually.
>
> If you want to import from an LDIF, in general you need to:
> - exclude any IPA master information (hosts, services, cn=masters,etc).
> - exclude the admin user
> - exclude any krbPrincipalKey values
> - exclude any userCertificate values
>
> You'll need to enable migration mode so your users can generate their
> Kerberos principal keys.
>
> Also consider the UID range. If you installed the new master using the same
> range you'll probably want to modify the DNA range to mask out the
> already-assigned values.
>
> If you used the same fqdn and REALM the import is easier.
>
> You'll also need to re-enroll every client machine and browsers will need to
> re-import the CA cert. Expect conflicts.
>
> I probably forgot some things too. It is not a super simple process though,
> and requires some understanding of IPA and its data.
>
> So like I said, possible, but it can be problematic and expect several
> iterations of:
>
> - import ldif
> - test
> - uninstall / reinstall
> - goto import
>
> rob

More information about the Freeipa-users mailing list