[Freeipa-users] Another CentOS 6.x to CentOS 7.1 migration question
Alexander Bokovoy
abokovoy at redhat.com
Tue Sep 22 07:32:44 UTC 2015
On Tue, 22 Sep 2015, Martin Kosek wrote:
>On 09/22/2015 05:06 AM, Robert Story wrote:
>> I've followed the migration document
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
>> almost to the end.
>>
>> I'm at step 10, which stops everything on the old . My concern is all
>> the installed servers that are pointing at the old system. That host name
>> is hardcoded in sssd.conf all over my network, and we rely on freeIPA for
>> centralized user management and ssh keys.
>>
>> My original system was auth.example, and the new one is auth-2.example. Is
>> it safe to make auth.example a CNAME to auth-2.example? Or will something
>> somewhere break if the ip address changes (and is pointing at a newer
>> version of freeIP)?
>
>I wouldn't be too afraid of the IP address change, but rather the CNAME itself
>and Kerberos authentication against the CNAME'ed old FreeIPA server. But I
>think Alexander had some ideas how to make such setups working.
Yes, for this specific use case you can make auth.example a CNAME to
auth-2.example. On Kerberos level all systems will be asking for tickets
to an A record behind the CNAME, so they will get a correct ticket to
the service.
>As for the clients, if you use DNS SRV records, you should be fine, even if the
>original server is listed in sssd.conf - well, as long as it server list also
>has "_srv_" in it which ipa-client-install adds if DNS SRV check passes.
Correct.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list