Me too. +1 for ipa to ipa migration. Martin Kosek <mko...@redhat.com> wrote:
>On 05/24/2013 03:34 PM, Simo Sorce wrote: >> On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote: >>> Greetings, >>> >>> I was told to bring my issue to this distribution. >>> >>> Six months or so ago I was tasked with setting up a Kerberos/LDAP >>> Authentication server. After a >>> month of headaches I finally got it to work - Then I relaized it >would >>> be a monster to maintain. Then a >>> peer asked me to have a look at FreeIPA. Wow. Installed it - was >>> amazed. Runs great. We love it. >>> >>> ...A few days ago, I was notified I have to change my domain/REALM >in >>> FreeIPA. I read the manual, >>> google searches ... crickets. I hear crickets. I started spitting >>> blood in the trash can. >>> >>> I joined a forum and asked for any information, and I was pointed >>> here....so...here goes... >>> >>> >>> My Current Configuration >>> >>> - We have two (2) servers. Both are installed with >>> ipa-server-3.0.0-26.el6_4.2.x86_64. >>> One is a replica server. >>> >>> Domain: my.network.domain >>> Realm: MY.NETWORK.DOMAIN >>> >>> >>> New Proposed Configuration >>> >>> Domain: my.local.network.domain >>> Realm: MY.LOCAL.NETWORK.DOMAIN >>> >>> >>> >>> Sounds easy - but the paradox is ... the beauty of FreeIPA is that >it >>> does everything under the hood for you, >>> and the horror is that it does everything under the hood for you! >>> There seem to be so many tentacles with >>> KERBEROS that I am afraid of jacking something up. >>> >>> Now, I have written a script that uses ipa to create all of my users >- >>> except the passwords. So, what I was thinking >>> is to shut down the replica server, re-kick it, re-install FreeIPA >>> with the new domain/REALM and then run my deploy >>> users script. It would be my new master. But then I would have to >>> have "each" user log in and change their password. >>> Then take the second server and make it the replica. >>> >>> Question #1: Is this a stupid idea.... Is there a way (documented >or >>> not) that I can simply change my domain/REALM? >>> Am I making this too hard? >>> >>> Question #2: Is there a way to backup the users passwords and then >>> after I re-kick, install ipa and create my users ... I >>> can simply "import" this information into the new >>> ipa instance. >>> >>> Any and all suggestions are greatly appreciated... >> >> I would look at the migration pages. You can probably use migration >mode >> to migrate user data from one FreeIPa install to the other and then >the >> migration mode of sssd to validate and recompute the kerberos keys. >> >> >> See this for some guidance: >> >https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html >> >> Simo. >> > >Simo, on a side note - I am thinking, would it make sense to create a >new >command "ipa migrate-ipa" which would migrate data from other IPA >installation? >I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc? > >I came across several user cases where creating a replica was not an >option and >migration like this would have been beneficial. > >Martin >u >_______________________________________________ >Freeipa-users mailing list >Freeipa-users@redhat.com >https://www.redhat.com/mailman/listinfo/freeipa-users -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users