On 05/24/2013 01:32 PM, Loris Santamaria wrote:
> That tool would be great!
>
> For now if you are in a hurry you could dump your current domain to with
> db2ldif, change suffixes, domain name, realm name on the ldif file the
> load what you need on the new domain with ldapadd. Some extra advice:
>
>  - AFAIK you can't migrate kerberos keys, so just keep the
> krbPrincipalName of the users/services/hosts, and ignore the rest of the
> krb* attributes. Change the realm name in the krbPrincipalname
> attributes
>
>  - certs are a grey area, the old ones will still be valid, you should
> consider if you will need them or not
>
>  - Don't mess with the cn=kerberos and cn=etc containers in the new
> domain 
>
>  - You should join manually the hosts to the new domain and issue new
> services keytabs. This is the most tedious and error prone part.

Yes but this is where presumably OpenLMI + realmd should come to the rescue.
You should be able to remotely script the whole procedure and run one
script to connect to a bunch of machines make them leave the domain they
are in and then join a new domain. Should be a not more than dozen lines
of script code.
This would be possible with the latest Fedora 19 bits just FYI.

Once these projects become available we should probably create a
procedure and a script.
https://fedorahosted.org/freeipa/ticket/3657

>
>  
>
> El vie, 24-05-2013 a las 10:52 -0400, Ainsworth, Thomas escribió:
>> Fellows,
>>
>> That capability would be awesome!  Just what I need...
>>
>> Let me know if it is possible and what kind of time frame you expect
>> it to happen...
>>
>> Thanks,
>>
>> Tom 
>>
>> On Fri, May 24, 2013 at 10:18 AM, Martin Kosek <mko...@redhat.com>
>> wrote:
>>         On 05/24/2013 03:34 PM, Simo Sorce wrote:
>>         > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>>         >> Greetings,
>>         >>
>>         >> I was told to bring my issue to this distribution.
>>         >>
>>         >> Six months or so ago I was tasked with setting up a
>>         Kerberos/LDAP
>>         >> Authentication server.  After a
>>         >> month of headaches I finally got it to work - Then I
>>         relaized it would
>>         >> be a monster to maintain.  Then a
>>         >> peer asked me to have a look at FreeIPA. Wow.  Installed it
>>         - was
>>         >> amazed.  Runs great.  We love it.
>>         >>
>>         >> ...A few days ago, I was notified I have to change my
>>         domain/REALM in
>>         >> FreeIPA.  I read the manual,
>>         >> google searches ... crickets.  I hear crickets.  I started
>>         spitting
>>         >> blood in the trash can.
>>         >>
>>         >> I joined a forum and asked for any information, and I was
>>         pointed
>>         >> here....so...here goes...
>>         >>
>>         >>
>>         >> My Current Configuration
>>         >>
>>         >> - We have two (2) servers.  Both are installed with
>>         >> ipa-server-3.0.0-26.el6_4.2.x86_64.
>>         >>   One is a replica server.
>>         >>
>>         >> Domain:  my.network.domain
>>         >> Realm:    MY.NETWORK.DOMAIN
>>         >>
>>         >>
>>         >> New Proposed Configuration
>>         >>
>>         >> Domain: my.local.network.domain
>>         >> Realm: MY.LOCAL.NETWORK.DOMAIN
>>         >>
>>         >>
>>         >>
>>         >> Sounds easy - but the paradox is ... the beauty of FreeIPA
>>         is that it
>>         >> does everything under the hood for you,
>>         >> and the horror is that it does everything under the hood
>>         for you!
>>         >> There seem to be so many tentacles with
>>         >> KERBEROS that I am afraid of jacking something up.
>>         >>
>>         >> Now, I have written a script that uses ipa to create all of
>>         my users -
>>         >> except the passwords.  So, what I was thinking
>>         >> is to shut down the replica server, re-kick it, re-install
>>         FreeIPA
>>         >> with the new domain/REALM and then run my deploy
>>         >> users script.  It would be my new master.  But then I would
>>         have to
>>         >> have "each" user log in and change their password.
>>         >> Then take the second server and make it the replica.
>>         >>
>>         >> Question #1:  Is this a stupid idea....  Is there a way
>>         (documented or
>>         >> not) that I can simply change my domain/REALM?
>>         >>                     Am I making this too hard?
>>         >>
>>         >> Question #2: Is there a way to backup the users passwords
>>         and then
>>         >> after I re-kick, install ipa and create my users ... I
>>         >>                    can simply "import" this information
>>         into the new
>>         >> ipa instance.
>>         >>
>>         >> Any and all suggestions are greatly appreciated...
>>         >
>>         > I would look at the migration pages. You can probably use
>>         migration mode
>>         > to migrate user data from one FreeIPa install to the other
>>         and then the
>>         > migration mode of sssd to validate and recompute the
>>         kerberos keys.
>>         >
>>         >
>>         > See this for some guidance:
>>         >
>>         
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
>>         >
>>         > Simo.
>>         >
>>         
>>         
>>         Simo, on a side note - I am thinking, would it make sense to
>>         create a new
>>         command "ipa migrate-ipa" which would migrate data from other
>>         IPA installation?
>>         I.e. it would migrate users, groups, hosts, sudo, hbac,
>>         automount, etc?
>>         
>>         I came across several user cases where creating a replica was
>>         not an option and
>>         migration like this would have been beneficial.
>>         
>>         Martin
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to