sharmaji a via FreeIPA-users wrote: > Hi FreeIPA team, > > I'm verifying FreeIPA backup/restore process. > > In our lab environment, FreeIPA 4.5.0 was running fine with single instance. > I took the backup. Shutdown the VM. > Created Fresh CentOS 7 VM and install IPA server 4.6.8 and did restore "data > only" backup. FQDN and IP address is same as old VM. > After little troubleshooting all services are working fine. I can see all > users & host - All good. > > ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: RUNNING > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > Now from existing client side, I did ipa-client-install --uninstall. but when > i do > ipa-client-install --domain example.com --realm EXAMPLE.COM; but getting > below error: > > Joining realm failed: libcurl failed to execute the HTTP POST transaction, > explaining: You are attempting to import a cert with the same issuer/serial > as an existing cert, but that is not the same cert. > > I tried on fresh client but still domain joining is failing with same error. > > Any suggestion? > > Also someone can share good document for backup/restore process where backup > is restored on completely new & Fresh system... it will be highly appreciated.
You don't want to use data-only on a fresh install. You want to do a full ipa-restore. The underlying installation is going to have certs, keytabs, etc issued now with a different backend. It is technically possible but involves stripping out any Kerberos key material and certificates. What is the purpose of doing this? I'll also add that restore should be strictly reserved for catastrophic failures. It is itself a destructive act. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
