[Freeipa-users] How to restore data to a fresh IPA reinstall from a CA-less replica

Sina Owolabi notify.sina at gmail.com
Tue May 26 07:42:08 UTC 2015 

Thanks Martin.
Would upgrading both servers to 7.1 and then attempting a backup and
restore from the CA-less replica to the new master be a safe option? Would
this work better?

On Tue, May 26, 2015, 8:14 AM Martin Kosek <mkosek at redhat.com> wrote:

> On 05/26/2015 09:04 AM, Sina Owolabi wrote:
> > Hi Martin
> >
> > I actually mean restore. It's a complicated situation... There once was a
> > primary and it's CA replica. The primary got hosed and was cloned a few
> years
> > ago from the replica. Then the replica got hosed a few times too,  saved
> by the
> > "primary",  only now it wouldn't install a CA during replica setup.  Now
> the
> > cloned primary got hosed (it sees itself as a clone and being a the only
> CA,
> > has nowhere to go to renew certs). We opted to reinstall a fresh primary
> and
> > now we are looking for how to copy existing data from the standing
> CA-less
> > replica (everything is the same,  realms,  DNS hosts, HBAC, sudo rules,
> etc )
> > to the freshly installed CA primary.
>
> What do you mean by "hosed" replica? Do you know why it happened? This is
> obviously something that should not happen with FreeIPA, it being the
> backbone
> of the infrastructure.
>
> This is another reason why I think you should better build your
> infrastructure
> on RHEL-7.1, it has more Backup&Restore options (ipa-backup, ipa-restore):
>
> https://www.freeipa.org/page/Backup_and_Restore
>
> > This would be amazing if we could or
> > we'll have to setup the entire network and rules from scratch.
> > I would really appreciate some example commands we could run to import
> data
> > into the new primary.  We've already run db2bak and db2ldif on the
> replica to
> > export from a helpful script we found in a thread.
> > I hope you can help us!
>
> If realms is the same, I think db2ldif and then importing the LDIF can be
> very
> effective in restoring the DNS, HBAC, SUDO entries. You may just need to
> extract those from the LDIF and then ldapadd it to your server so that you
> do
> not overwrite other critical settings.
>
> As I wrote below, certificates or Kerberos keys cannot be that easily
> migrated
> and you would need to rebuild the keytabs when the services are created
> (ipa-getkeytab).
>
> I do not have any other specific scripts or examples at hand, maybe other
> users
> here has something.
>
> Martin
>
> >
> >
> > On Tue, May 26, 2015, 7:42 AM Martin Kosek <mkosek at redhat.com
> > <mailto:mkosek at redhat.com>> wrote:
> >
> >     On 05/25/2015 05:46 PM, Sina Owolabi wrote:
> >      > Hi!
> >      >
> >      > Please how do I restore data to a freshly reinstalled IPA server
> from
> >      > an existing CA-less replica that has had replication agreements
> >      > removed?
> >
> >     By restore, you mean actually migrate? We have a pending RFE for
> this:
> >     https://fedorahosted.org/freeipa/ticket/3656
> >
> >     Migration of users/groups can be done via migrate-ds command.
> Migration of
> >     SUDO/HBAC/automount/... can be done by LDIF export and import (with
> some
> >     changes realms, etc.). But we have no automated way how to migrate
> Kerberos
> >     keys or certificates as the underlying keys are different.
> >
> >      > Both servers are running rhel 6.6 with ipa-server versions 3.0.0
> >      > ( For some reason the IPA servers do not upgrade beyond this
> version).
> >
> >     If you want a higher version than FreeIPA 3.0.0, please use
> RHEL-7.x. RHEL-7.1
> >     has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is
> what we
> >     recommend for new deployments anyway.
> >
> >      > I have been searching for information from RHEL knowledgebase and
> from
> >      > the FreeIPA site but I do not find information that exactly
> matches my
> >      > situation.
> >      >
> >      > I am grateful for any assistance in this.
> >      >
> >      >
> >      > Thanks!
> >      >
> >
> >     HTH,
> >     Martin
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150526/9b021732/attachment.htm>

More information about the Freeipa-users mailing list