Sigbjorn Lie wrote:
Me too. +1 for ipa to ipa migration.

I filed a ticket to track this,


Martin Kosek <> wrote:

On 05/24/2013 03:34 PM, Simo Sorce wrote:
On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:

I was told to bring my issue to this distribution.

Six months or so ago I was tasked with setting up a Kerberos/LDAP
Authentication server.  After a
month of headaches I finally got it to work - Then I relaized it
be a monster to maintain.  Then a
peer asked me to have a look at FreeIPA. Wow.  Installed it - was
amazed.  Runs great.  We love it.

...A few days ago, I was notified I have to change my domain/REALM
FreeIPA.  I read the manual,
google searches ... crickets.  I hear crickets.  I started spitting
blood in the trash can.

I joined a forum and asked for any information, and I was pointed goes...

My Current Configuration

- We have two (2) servers.  Both are installed with
   One is a replica server.


New Proposed Configuration


Sounds easy - but the paradox is ... the beauty of FreeIPA is that
does everything under the hood for you,
and the horror is that it does everything under the hood for you!
There seem to be so many tentacles with
KERBEROS that I am afraid of jacking something up.

Now, I have written a script that uses ipa to create all of my users
except the passwords.  So, what I was thinking
is to shut down the replica server, re-kick it, re-install FreeIPA
with the new domain/REALM and then run my deploy
users script.  It would be my new master.  But then I would have to
have "each" user log in and change their password.
Then take the second server and make it the replica.

Question #1:  Is this a stupid idea....  Is there a way (documented
not) that I can simply change my domain/REALM?
                     Am I making this too hard?

Question #2: Is there a way to backup the users passwords and then
after I re-kick, install ipa and create my users ... I
                    can simply "import" this information into the new
ipa instance.

Any and all suggestions are greatly appreciated...

I would look at the migration pages. You can probably use migration
to migrate user data from one FreeIPa install to the other and then
migration mode of sssd to validate and recompute the kerberos keys.

See this for some guidance:


Simo, on a side note - I am thinking, would it make sense to create a
command "ipa migrate-ipa" which would migrate data from other IPA
I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?

I came across several user cases where creating a replica was not an
option and
migration like this would have been beneficial.

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to