[Freeipa-users] FreeIPA 3 to FreeIPA 4 migration and Kerberos realm is a forwarded zone
Michael Plemmons
michael.plemmons at crosschx.com
Fri Nov 18 19:00:32 UTC 2016
Hello,
My existing FreeIPA 3.0 (CentOS 6) setup is as follows:
Kerberos Realm: test.com
I have several DNS zones
test.com
dev.test.com
stage.test.com
qa.test.com
prod.test.com
mgmt.test.com
ipa01.mgmt.test.com - FreeIPA 3.0 Master
ipa02.mgmt.test.com - FreeIPA 3.0 Replica
The FreeIPA servers actually reside in mgmt.test.com. test.com in FreeIPA
3 has forwarding DNS servers configured.
We are going to move to FreeIPA 4.2 (CentOS 7) and here is the path I have
tested that appears to work.
I followed this guide.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
1 Create an IPA 4 server (ipa03.mgmt.test.com) that is a replica of the IPA
3 master server (ipa01.mgmt.test.com)
2 Remove replica agreement for ipa02.mgmt.test.com on IPA 3 master (
ipa01.mgmt.test.com)
3 Shutdown ipa02.mgmt.test.com to prep for an IPA 4 server to take its place
4 Build a new server and install IPA 4 server that will become a new
ipa02.mgmt.test.com
5 Make ipa02.mgmt.test.com a replica of ipa03.mgmt.test.com
6 Make ipa02.mgmt.test.com the master CRL server instead of
ipa01.mgmt.test.com
7 Shutdown ipa01.mgmt.test.com to prep for an IPA 4 server to take its place
8 Build a new server and install IPA 4 server that will become a new
ipa01.mgmt.test.com
9 Make ipa01.mgmt.test.com a replica of ipa02.mgmt.test.com
The reason for removing old servers to take the place of new servers is so
that I can reuse the IP addresses and do not need to change DNS entries on
any client
The problem occurs when I realize that the test.com zone needs to be a
forwarded zone in IPA 4 but in IPA 3 is it a normal DNS zone and I need to
have test.com be a forwarded zone. In IPA 3 there is no entry for
ipa-ca.test.com but I do see it in IPA 4. In my testing I have removed the
test.com zone and made it a forwarding zone but that removes the entry for
ipa-ca.test.com as well as all the test.com kerberos entries.
What I do not know is what did I break when I removed test.com since it is
the Kerberos realm. It appears that replication between the servers still
works and I was able to add a IPA 4 client server without issue. We plan
on using certs generated from IPA 4 for OpenVPN but I do not have enough
information to know if the removal of the test.com zone will break that
certificate validation and revocation since the ipa-ca.test.com DNS entry
no longer exists.
I believe where I went wrong was that I should have setup mgmt.test.com as
the Kerberos realm rather than test.com and I would not have the questions
I do now.
Thank you for your help.
*Mike Plemmons | Senior DevOps Engineer*
614-741-5475
mike.plemmons at crosschx.com
www.crosschx.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161118/6cf557aa/attachment.htm>
More information about the Freeipa-users
mailing list