On 20.1.2014 09:21, Martin Kosek wrote:
On 01/17/2014 11:06 PM, Dmitri Pal wrote:
On 01/17/2014 03:59 PM, Rob Crittenden wrote:
Les Stott wrote:
The first time your migrated production users authenticate with their
password their Kerberos credentials will be generated.


Is there a way to avoid this?

I had to do that for importing shadow files originally in DR. now,
i'm going from freeipa to freeipa. if i export kerberos attributes
will that avoid users having to regenerate the kerberos credentials?

No. The kerberos master keys are different.

Unless you want to copy master keys over.
This is a complex manual procedure. You can probably find it in the
archives as we helped people with it couple times but it is not recommended.

May be we should open an RFE to develop a tool that would do
ipa-migrate-ipa and can be used to move data from POC to production.

We have a RFE open for that feature already:

https://fedorahosted.org/freeipa/ticket/3656

I added a reference to this discussion on the list. Contributions or other
ideas are very welcome!

It sounds like creating a new replica and then disconnecting the new replica from the old replica.

This procedure will copy all keys etc., so be sure you understand security implications for your environment! (Who can get root access to old environment? Who can get root access to the new environment? What will you do if one of them was compromised...?)

--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to