Sigbjorn Lie wrote:
Me too. +1 for ipa to ipa migration.
I filed a ticket to track this, https://fedorahosted.org/freeipa/ticket/3656
rob
Martin Kosek <mko...@redhat.com> wrote:
On 05/24/2013 03:34 PM, Simo Sorce wrote:
On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
Greetings,
I was told to bring my issue to this distribution.
Six months or so ago I was tasked with setting up a Kerberos/LDAP
Authentication server. After a
month of headaches I finally got it to work - Then I relaized it
would
be a monster to maintain. Then a
peer asked me to have a look at FreeIPA. Wow. Installed it - was
amazed. Runs great. We love it.
...A few days ago, I was notified I have to change my domain/REALM
in
FreeIPA. I read the manual,
google searches ... crickets. I hear crickets. I started spitting
blood in the trash can.
I joined a forum and asked for any information, and I was pointed
here....so...here goes...
My Current Configuration
- We have two (2) servers. Both are installed with
ipa-server-3.0.0-26.el6_4.2.x86_64.
One is a replica server.
Domain: my.network.domain
Realm: MY.NETWORK.DOMAIN
New Proposed Configuration
Domain: my.local.network.domain
Realm: MY.LOCAL.NETWORK.DOMAIN
Sounds easy - but the paradox is ... the beauty of FreeIPA is that
it
does everything under the hood for you,
and the horror is that it does everything under the hood for you!
There seem to be so many tentacles with
KERBEROS that I am afraid of jacking something up.
Now, I have written a script that uses ipa to create all of my users
-
except the passwords. So, what I was thinking
is to shut down the replica server, re-kick it, re-install FreeIPA
with the new domain/REALM and then run my deploy
users script. It would be my new master. But then I would have to
have "each" user log in and change their password.
Then take the second server and make it the replica.
Question #1: Is this a stupid idea.... Is there a way (documented
or
not) that I can simply change my domain/REALM?
Am I making this too hard?
Question #2: Is there a way to backup the users passwords and then
after I re-kick, install ipa and create my users ... I
can simply "import" this information into the new
ipa instance.
Any and all suggestions are greatly appreciated...
I would look at the migration pages. You can probably use migration
mode
to migrate user data from one FreeIPa install to the other and then
the
migration mode of sssd to validate and recompute the kerberos keys.
See this for some guidance:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
Simo.
Simo, on a side note - I am thinking, would it make sense to create a
new
command "ipa migrate-ipa" which would migrate data from other IPA
installation?
I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?
I came across several user cases where creating a replica was not an
option and
migration like this would have been beneficial.
Martin
u
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
