Petr Spacek wrote:
On 20.1.2014 12:27, Petr Spacek wrote:
On 20.1.2014 09:21, Martin Kosek wrote:
On 01/17/2014 11:06 PM, Dmitri Pal wrote:
On 01/17/2014 03:59 PM, Rob Crittenden wrote:
Les Stott wrote:
The first time your migrated production users authenticate with
password their Kerberos credentials will be generated.

Is there a way to avoid this?

I had to do that for importing shadow files originally in DR. now,
i'm going from freeipa to freeipa. if i export kerberos attributes
will that avoid users having to regenerate the kerberos credentials?

No. The kerberos master keys are different.

Unless you want to copy master keys over.
This is a complex manual procedure. You can probably find it in the
archives as we helped people with it couple times but it is not

May be we should open an RFE to develop a tool that would do
ipa-migrate-ipa and can be used to move data from POC to production.

We have a RFE open for that feature already:

I added a reference to this discussion on the list. Contributions or
ideas are very welcome!

It sounds like creating a new replica and then disconnecting the new
from the old replica.

This procedure will copy all keys etc., so be sure you understand
implications for your environment! (Who can get root access to old
environment? Who can get root access to the new environment? What will
you do
if one of them was compromised...?)

I should clarify this:

May be that we could provide a tool for FreeIPA domain rename, so you
can create replica, disconnect the replica and then rename the FreeIPA
domain to something else (renaming would include master-key regeneration

This solves two problems at once:
- FreeIPA-to-FreeIPA migration
- FreeIPA domain renaming

There could be some weird side-effects. The certificate subject base is not changable post-install so you could end up issuing certs with the subject of the old realm.


Freeipa-users mailing list

Reply via email to