[Freeipa-users] Migrate users with password from one IPA to another

Rene Trippen rene.trippen at gmail.com
Fri Sep 2 09:39:00 UTC 2016 

Hi,

is it possible to transfer the Kerberos Master Key to the new IPA Server?

- rene

On 31.08.2016 10:57, Rene Trippen wrote:
> On 25.08.2016 19:44, Rob Crittenden wrote:
>> Rene Trippen wrote:
>>> Hi,
>>>
>>> I`ve got an IPA with a broken CA infrastructure (don`t know what
>>> happened, but new clients cannot be registered)
>>> It is even not possible to setup a new replica.
>>
>> It may be fairly straightforward to getting the CA back up. How is it
>> broken?
>>
> I don't know how that happened exactly, we had an IPA 3.x Server, then 
> we migrated it to another machine and upgraded to IPA 4.1, later, we 
> upgraded (on the same machine) to IPA 4.2.
> The IPA Server is basically working, but when I want to register a new 
> machine, the registration process fails with following (I think these 
> are the relevant lines) error
>
> 2016-08-30T22:40:25Z DEBUG flushing ldap://ipa.internal.domain:389 
> from SchemaCache
> 2016-08-30T22:40:25Z DEBUG retrieving schema for SchemaCache 
> url=ldap://ipa.internal.domain:389 
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x375d5a8>
> 2016-08-30T22:40:26Z DEBUG Adding CA certificates to the IPA NSS 
> database.
> 2016-08-30T22:40:26Z DEBUG Starting external process
> 2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' 
> '/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'
> 2016-08-30T22:40:26Z DEBUG Process finished, return code=0
> 2016-08-30T22:40:26Z DEBUG stdout=
> 2016-08-30T22:40:26Z DEBUG stderr=
> 2016-08-30T22:40:26Z DEBUG Starting external process
> 2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' 
> '/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'
> 2016-08-30T22:40:26Z DEBUG Process finished, return code=255
> 2016-08-30T22:40:26Z DEBUG stdout=
> 2016-08-30T22:40:26Z DEBUG stderr=certutil: could not add certificate 
> to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate 
> to database.
>
> 2016-08-30T22:40:26Z ERROR Failed to add INTERNAL.DOMAIN IPA CA to the 
> IPA NSS database.
> 2016-08-30T22:40:26Z ERROR Installation failed. Rolling back changes.
>
>
> The client tries to add 2 certificates, but fails with the second, I 
> think, it is because we have 2 CA certificates (one from the old IPA 
> 3.x server and one from the new 4.x server). My current workaround is 
> to register the client with an ipa3.x client, then I do an upgrade to 
> the 4.x client
>
> I've tried many ways to setup a new CA:
> - tried ipa-cacert-manage renew
> - tried to setup a new replica with new CA, but the setup failed with 
> the same problems described above
> - tried to remove all old certificates refering to the old ipa server 
> (but I think I failed somewhere)
>
> My thoughts are, the CA is in a bad condition, and I spent much time 
> in trying to fix it, with no success. And, my fears are, if I find 
> some crude, not documented workaround for the CA problem, the problem 
> maybe pops up at the next update. So, setting up a fresh IPA and 
> migrating everything (except the clients), was my hope to get an IPA 
> running without all the CA problems. Migrating the clients is not the 
> problem, that can be done by script (spacewalk or ansible), but 
> migrating the users is not that easy, because the users cannot be 
> scripted :)
>
>
>>> So, I wanted to setup a new IPA Server with new CA, and I want to move
>>> all users with their passwords to the new IPA instance.
>>> I`ve tried with 'ipa migrate-ds'
>>>
>>> ipa migrate-ds --continue --bind-dn="cn=Directory Manager"
>>> --user-container=cn=users,cn=accounts
>>> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
>>> --group-overwrite-gid --with-compat ldap://<ldapserver>
>>>
>>> The output is OK
>>> =======
>>> Passwords have been migrated in pre-hashed format.
>>> IPA is unable to generate Kerberos keys unless provided
>>> with clear text passwords. All migrated users need to
>>> login at https://your.domain/ipa/migration/ before they
>>> can use their Kerberos accounts.
>>> ========
>>>
>>> But  the ipa/migration website is not working for me.
>>> Anyway, is there a way to export the users with passwords? I think I
>>> have to export some kerberos specific stuff from the old IPA?
>>
>> The log file /var/log/httpd/error_log may have details on what isn't
>> working.
>
> Sorry, that was not clearly described:
>
> The site is basically working, but when I enter the password, nothing 
> happens in the backend (I cannot login with my user on the ipa login 
> site).
>
> - rene
>
>>
>> The way to export users with passwords is the method you've already
>> tried. To not have to change a password at all would require the same
>> Kerberos master key and these are generated randomly at install time.
>>
>> rob
>>
>

More information about the Freeipa-users mailing list