On 08/28/2013 10:16 AM, Bret Wortman wrote:
> Ugh. Well that certainly hurts, but I just don't see an alternative. I
> hope Puppet can at least make the re-enrollment a bit easier.
> I'm still hand-copying some of the configuration and user group
> details and crafting the load scripts so if anyone has a bright idea
> in the next few hours, I'd love to hear it!
> *Bret Wortman*
> On Wed, Aug 28, 2013 at 9:56 AM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> Bret Wortman wrote:
> Today, I'm going to wipe my master, install f18 from scratch, then
> install the freeipa-server RPMs again and manually load all
> our hosts,
> dns entries, and users from scratch (I'm building scripts to
> do this for
> me using the command line tools). We'll then do the same for each
> replica so that our system will basically be starting clean again.
> Are there any files that I really ought to back up and restore
> as part
> of this effort, like certificates, that might make it easier
> for clients
> to deal with us after the master comes back on line? Or am I
> safe to
> just nuke the box and start clean?
> You'll end up with a new CA so you'll need to re-enroll any client
> machines. Browsers will see the most grief as there will be a
> different CA with the same subject.
> Depending on how you are migrating your users they will all likely
> need to reset their passwords, or go through the migration step.
And migration step means you carry forward user data as if you migrated
from an LDAP server. In this case you can complete migration using
either a migration web page or just using SSSD. If the migration is
enabled and you migrated LDAP password attributes from the older IPA
then SSSD and/or migration page would be able to capture user password
and create kerberos hashes completing the migration. This at least would
not require people to change the passwords.
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list