[Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica

Martin Kosek mkosek at redhat.com
Tue May 26 07:14:32 UTC 2015 

On 05/26/2015 09:04 AM, Sina Owolabi wrote:
> Hi Martin
>
> I actually mean restore. It's a complicated situation... There once was a
> primary and it's CA replica. The primary got hosed and was cloned a few years
> ago from the replica. Then the replica got hosed a few times too,  saved by the
> "primary",  only now it wouldn't install a CA during replica setup.  Now the
> cloned primary got hosed (it sees itself as a clone and being a the only CA,
> has nowhere to go to renew certs). We opted to reinstall a fresh primary and
> now we are looking for how to copy existing data from the standing CA-less
> replica (everything is the same,  realms,  DNS hosts, HBAC, sudo rules,  etc )
> to the freshly installed CA primary.

What do you mean by "hosed" replica? Do you know why it happened? This is 
obviously something that should not happen with FreeIPA, it being the backbone 
of the infrastructure.

This is another reason why I think you should better build your infrastructure 
on RHEL-7.1, it has more Backup&Restore options (ipa-backup, ipa-restore):

https://www.freeipa.org/page/Backup_and_Restore

> This would be amazing if we could or
> we'll have to setup the entire network and rules from scratch.
> I would really appreciate some example commands we could run to import data
> into the new primary.  We've already run db2bak and db2ldif on the replica to
> export from a helpful script we found in a thread.
> I hope you can help us!

If realms is the same, I think db2ldif and then importing the LDIF can be very 
effective in restoring the DNS, HBAC, SUDO entries. You may just need to 
extract those from the LDIF and then ldapadd it to your server so that you do 
not overwrite other critical settings.

As I wrote below, certificates or Kerberos keys cannot be that easily migrated 
and you would need to rebuild the keytabs when the services are created 
(ipa-getkeytab).

I do not have any other specific scripts or examples at hand, maybe other users 
here has something.

Martin

>
>
> On Tue, May 26, 2015, 7:42 AM Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
>     On 05/25/2015 05:46 PM, Sina Owolabi wrote:
>      > Hi!
>      >
>      > Please how do I restore data to a freshly reinstalled IPA server from
>      > an existing CA-less replica that has had replication agreements
>      > removed?
>
>     By restore, you mean actually migrate? We have a pending RFE for this:
>     https://fedorahosted.org/freeipa/ticket/3656
>
>     Migration of users/groups can be done via migrate-ds command. Migration of
>     SUDO/HBAC/automount/... can be done by LDIF export and import (with some
>     changes realms, etc.). But we have no automated way how to migrate Kerberos
>     keys or certificates as the underlying keys are different.
>
>      > Both servers are running rhel 6.6 with ipa-server versions 3.0.0
>      > ( For some reason the IPA servers do not upgrade beyond this version).
>
>     If you want a higher version than FreeIPA 3.0.0, please use RHEL-7.x. RHEL-7.1
>     has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is what we
>     recommend for new deployments anyway.
>
>      > I have been searching for information from RHEL knowledgebase and from
>      > the FreeIPA site but I do not find information that exactly matches my
>      > situation.
>      >
>      > I am grateful for any assistance in this.
>      >
>      >
>      > Thanks!
>      >
>
>     HTH,
>     Martin
>

More information about the Freeipa-users mailing list