On 18-12-18 17:50, Florence Blanc-Renaud wrote: > On 12/17/18 1:40 PM, Kees Bakker via FreeIPA-users wrote: >> Hello, >> >> I want to move my IPA master to new hardware, but IPA does not >> want to start on that new hardware. >> >> /var/log/krb5kdc.log shows: >> krb5kdc: Server error - while fetching master key K/M for realm GHS.NL >> >> And then of course the rest of FreeIPA is not working either. >> >> I've basically copied the whole disk using rsync, and tweaked >> some things like ifcfg and fstab. >> >> The rsync command needs --numeric-ids, but other than that nothing >> else is needed, I think. >> rsync -ai -x --delete --numeric-ids oldmaster:/oldroot/ /croot/ >> >> Also force a relabeling for SELINUX >> touch /croot/.autorelabel >> >> It boots alright, but IPA isn't started properly. >> >> Can someone shed some light on this? Does krb5kdc depend on its hardware? >> Is there documentation how to move an IPA master to other hardware? >> > Hi, > > you can have a look at the ipa-backup / ipa-restore commands [1]. The > limitations are that you need to restore on a server with the same IPA > version and with the same hostname.
Yes, I looked at that document. However, I was hoping to just do a "simple" file system copy. Well, it turned out to not be so simple. > > If you have a spare machine you can also use replication, and create a > replica of your current master with all the needed services (CA, KRA, DNS if > needed). > If you really need to keep the same hostname, then you will need a spare > machine: > 1. create serverB as a replica of serverA on your spare machine. Do not > forget to promote serverB as CA renewal master and CRL master [2]. > 2. decommission serverA with (on serverA) ipa-server-install --uninstall and > (on serverB) ipa-replica-manage del serverA --clean > 3. provision your new hardware with hostname=serverA, install serverA as a > replica of serverB. > I would advise to keep serverB as it will provide redundancy. > > This wiki [3] also explains the preferred paths depending on your situation. I have read that document too. First I want to give it another try. If it fails again I will follow advice described above. Thanks for your help. > HTH, > flo > > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#backup-restore > [2] https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master > [3] https://www.freeipa.org/page/Backup_and_Restore > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
