On 05/24/2013 01:32 PM, Loris Santamaria wrote: > That tool would be great! > > For now if you are in a hurry you could dump your current domain to with > db2ldif, change suffixes, domain name, realm name on the ldif file the > load what you need on the new domain with ldapadd. Some extra advice: > > - AFAIK you can't migrate kerberos keys, so just keep the > krbPrincipalName of the users/services/hosts, and ignore the rest of the > krb* attributes. Change the realm name in the krbPrincipalname > attributes > > - certs are a grey area, the old ones will still be valid, you should > consider if you will need them or not > > - Don't mess with the cn=kerberos and cn=etc containers in the new > domain > > - You should join manually the hosts to the new domain and issue new > services keytabs. This is the most tedious and error prone part.
Yes but this is where presumably OpenLMI + realmd should come to the rescue. You should be able to remotely script the whole procedure and run one script to connect to a bunch of machines make them leave the domain they are in and then join a new domain. Should be a not more than dozen lines of script code. This would be possible with the latest Fedora 19 bits just FYI. Once these projects become available we should probably create a procedure and a script. https://fedorahosted.org/freeipa/ticket/3657 > > > > El vie, 24-05-2013 a las 10:52 -0400, Ainsworth, Thomas escribió: >> Fellows, >> >> That capability would be awesome! Just what I need... >> >> Let me know if it is possible and what kind of time frame you expect >> it to happen... >> >> Thanks, >> >> Tom >> >> On Fri, May 24, 2013 at 10:18 AM, Martin Kosek <[email protected]> >> wrote: >> On 05/24/2013 03:34 PM, Simo Sorce wrote: >> > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote: >> >> Greetings, >> >> >> >> I was told to bring my issue to this distribution. >> >> >> >> Six months or so ago I was tasked with setting up a >> Kerberos/LDAP >> >> Authentication server. After a >> >> month of headaches I finally got it to work - Then I >> relaized it would >> >> be a monster to maintain. Then a >> >> peer asked me to have a look at FreeIPA. Wow. Installed it >> - was >> >> amazed. Runs great. We love it. >> >> >> >> ...A few days ago, I was notified I have to change my >> domain/REALM in >> >> FreeIPA. I read the manual, >> >> google searches ... crickets. I hear crickets. I started >> spitting >> >> blood in the trash can. >> >> >> >> I joined a forum and asked for any information, and I was >> pointed >> >> here....so...here goes... >> >> >> >> >> >> My Current Configuration >> >> >> >> - We have two (2) servers. Both are installed with >> >> ipa-server-3.0.0-26.el6_4.2.x86_64. >> >> One is a replica server. >> >> >> >> Domain: my.network.domain >> >> Realm: MY.NETWORK.DOMAIN >> >> >> >> >> >> New Proposed Configuration >> >> >> >> Domain: my.local.network.domain >> >> Realm: MY.LOCAL.NETWORK.DOMAIN >> >> >> >> >> >> >> >> Sounds easy - but the paradox is ... the beauty of FreeIPA >> is that it >> >> does everything under the hood for you, >> >> and the horror is that it does everything under the hood >> for you! >> >> There seem to be so many tentacles with >> >> KERBEROS that I am afraid of jacking something up. >> >> >> >> Now, I have written a script that uses ipa to create all of >> my users - >> >> except the passwords. So, what I was thinking >> >> is to shut down the replica server, re-kick it, re-install >> FreeIPA >> >> with the new domain/REALM and then run my deploy >> >> users script. It would be my new master. But then I would >> have to >> >> have "each" user log in and change their password. >> >> Then take the second server and make it the replica. >> >> >> >> Question #1: Is this a stupid idea.... Is there a way >> (documented or >> >> not) that I can simply change my domain/REALM? >> >> Am I making this too hard? >> >> >> >> Question #2: Is there a way to backup the users passwords >> and then >> >> after I re-kick, install ipa and create my users ... I >> >> can simply "import" this information >> into the new >> >> ipa instance. >> >> >> >> Any and all suggestions are greatly appreciated... >> > >> > I would look at the migration pages. You can probably use >> migration mode >> > to migrate user data from one FreeIPa install to the other >> and then the >> > migration mode of sssd to validate and recompute the >> kerberos keys. >> > >> > >> > See this for some guidance: >> > >> >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html >> > >> > Simo. >> > >> >> >> Simo, on a side note - I am thinking, would it make sense to >> create a new >> command "ipa migrate-ipa" which would migrate data from other >> IPA installation? >> I.e. it would migrate users, groups, hosts, sudo, hbac, >> automount, etc? >> >> I came across several user cases where creating a replica was >> not an option and >> migration like this would have been beneficial. >> >> Martin >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
