Petr Spacek wrote:
On 29.6.2013 09:40, Joshua J. Kugler wrote:
We are trying to query an IPA server from a new IPA server (not
replication,
just trying to query to recreate accounts).

But, when I run the query, I get this:

[root@ipan ~]# ipa -vvv -e
xmlrpc_uri=https://ipa0.lab.whamcloud.com/ipa/xml
user-show jkugler
ipa: INFO: trying https://ipa0.lab.whamcloud.com/ipa/xml
ipa: INFO: Forwarding 'user_show' to server
u'https://ipa0.lab.whamcloud.com/ipa/xml'
ipa: ERROR: Service 'h...@ipa0.lab.whamcloud.com' not found in Kerberos
database

I've done some googling, and what the answers I found had to do with DNS
issues, but I don't believe that is the cause in our case, due to DNS
lookups
seeming to work.

[root@ipan ~]# host ipan.lab.whamcloud.com
ipan.lab.whamcloud.com has address 10.10.0.50
[root@ipan ~]# host ipa0.lab.whamcloud.com
ipa0.lab.whamcloud.com has address 10.10.0.4
[root@ipan ~]# host 10.10.0.50
50.0.10.10.in-addr.arpa domain name pointer ipan.lab.whamcloud.com.
[root@ipan ~]# host 10.10.0.4
4.0.10.10.in-addr.arpa domain name pointer ipa0.lab.whamcloud.com.

What config do I need to tweak on the new server to allow it to query
the old
server?

I guess that now you have two FreeIPA servers with different host names
but with the same FreeIPA domain and Kerberos REALM name, right? Please
correct me if I'm wrong.

This configuration can't work with Kerberos authentication.
Authentication to only one server will work at one time, because there
is no reliable way how to find which KDC (old or new) you should query.

IMHO the simplest way how to work around this situation is to generate
list of users etc. on the 'old' server, save the data to a file and
transfer files to the new server. (And then decommission the old server.)

This will save you a pain caused by mis-configured Kerberos, but you
will have to solve file parsing.


You can also use ipa migrate-ds command to move users and groups from one IPA server to another.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to