[Freeipa-users] Migrate users with password from one IPA to another

Rene Trippen rene.trippen at mailbox.org
Tue Aug 30 23:12:14 UTC 2016 

On 25.08.2016 19:44, Rob Crittenden wrote:
> Rene Trippen wrote:
>> Hi,
>>
>> I`ve got an IPA with a broken CA infrastructure (don`t know what
>> happened, but new clients cannot be registered)
>> It is even not possible to setup a new replica.
>
> It may be fairly straightforward to getting the CA back up. How is it
> broken?
>
I don't know how that happened exactly, we had an IPA 3.x Server, then 
we migrated it to another machine and upgraded to IPA 4.1, later, we 
upgraded (on the same machine) to IPA 4.2.
The IPA Server is basically working, but when I want to register a new 
machine, the registration process fails with following (I think these 
are the relevant lines) error

2016-08-30T22:40:25Z DEBUG flushing ldap://ipa.internal.domain:389 from 
SchemaCache
2016-08-30T22:40:25Z DEBUG retrieving schema for SchemaCache 
url=ldap://ipa.internal.domain:389 
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x375d5a8>
2016-08-30T22:40:26Z DEBUG Adding CA certificates to the IPA NSS database.
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' 
'/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'
2016-08-30T22:40:26Z DEBUG Process finished, return code=0
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' 
'/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'
2016-08-30T22:40:26Z DEBUG Process finished, return code=255
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=certutil: could not add certificate to 
token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to 
database.

2016-08-30T22:40:26Z ERROR Failed to add INTERNAL.DOMAIN IPA CA to the 
IPA NSS database.
2016-08-30T22:40:26Z ERROR Installation failed. Rolling back changes.


The client tries to add 2 certificates, but fails with the second, I 
think, it is because we have 2 CA certificates (one from the old IPA 3.x 
server and one from the new 4.x server). My current workaround is to 
register the client with an ipa3.x client, then I do an upgrade to the 
4.x client

I've tried many ways to setup a new CA:
- tried ipa-cacert-manage renew
- tried to setup a new replica with new CA, but the setup failed with 
the same problems described above
- tried to remove all old certificates refering to the old ipa server 
(but I think I failed somewhere)

My thoughts are, the CA is in a bad condition, and I spent much time in 
trying to fix it, with no success. And, my fears are, if I find some 
crude, not documented workaround for the CA problem, the problem maybe 
pops up at the next update. So, setting up a fresh IPA and migrating 
everything (except the clients), was my hope to get an IPA running 
without all the CA problems. Migrating the clients is not the problem, 
that can be done by script (spacewalk or ansible), but migrating the 
users is not that easy, because the users cannot be scripted :)


>> So, I wanted to setup a new IPA Server with new CA, and I want to move
>> all users with their passwords to the new IPA instance.
>> I`ve tried with 'ipa migrate-ds'
>>
>> ipa migrate-ds --continue --bind-dn="cn=Directory Manager"
>> --user-container=cn=users,cn=accounts
>> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
>> --group-overwrite-gid --with-compat ldap://<ldapserver>
>>
>> The output is OK
>> =======
>> Passwords have been migrated in pre-hashed format.
>> IPA is unable to generate Kerberos keys unless provided
>> with clear text passwords. All migrated users need to
>> login at https://your.domain/ipa/migration/ before they
>> can use their Kerberos accounts.
>> ========
>>
>> But  the ipa/migration website is not working for me.
>> Anyway, is there a way to export the users with passwords? I think I
>> have to export some kerberos specific stuff from the old IPA?
>
> The log file /var/log/httpd/error_log may have details on what isn't
> working.

Sorry, that was not clearly described:

The site is basically working, but when I enter the password, nothing 
happens in the backend (I cannot login with my user on the ipa login 
site).

- rene

>
> The way to export users with passwords is the method you've already
> tried. To not have to change a password at all would require the same
> Kerberos master key and these are generated randomly at install time.
>
> rob
>

More information about the Freeipa-users mailing list