On 01/20/2014 11:12 AM, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 20.1.2014 12:27, Petr Spacek wrote:
>>> On 20.1.2014 09:21, Martin Kosek wrote:
>>>> On 01/17/2014 11:06 PM, Dmitri Pal wrote:
>>>>> On 01/17/2014 03:59 PM, Rob Crittenden wrote:
>>>>>> Les Stott wrote:
>>>>>>>> The first time your migrated production users authenticate with
>>>>>>>> their
>>>>>>>> password their Kerberos credentials will be generated.
>>>>>>> Is there a way to avoid this?
>>>>>>> I had to do that for importing shadow files originally in DR. now,
>>>>>>> i'm going from freeipa to freeipa. if i export kerberos attributes
>>>>>>> will that avoid users having to regenerate the kerberos
>>>>>>> credentials?
>>>>>> No. The kerberos master keys are different.
>>>>> Unless you want to copy master keys over.
>>>>> This is a complex manual procedure. You can probably find it in the
>>>>> archives as we helped people with it couple times but it is not
>>>>> recommended.
>>>>> May be we should open an RFE to develop a tool that would do
>>>>> ipa-migrate-ipa and can be used to move data from POC to production.
>>>> We have a RFE open for that feature already:
>>>> https://fedorahosted.org/freeipa/ticket/3656
>>>> I added a reference to this discussion on the list. Contributions or
>>>> other
>>>> ideas are very welcome!
>>> It sounds like creating a new replica and then disconnecting the new
>>> replica
>>> from the old replica.
>>> This procedure will copy all keys etc., so be sure you understand
>>> security
>>> implications for your environment! (Who can get root access to old
>>> environment? Who can get root access to the new environment? What will
>>> you do
>>> if one of them was compromised...?)
>> I should clarify this:
>> May be that we could provide a tool for FreeIPA domain rename, so you
>> can create replica, disconnect the replica and then rename the FreeIPA
>> domain to something else (renaming would include master-key regeneration
>> etc.).
>> This solves two problems at once:
>> - FreeIPA-to-FreeIPA migration
>> - FreeIPA domain renaming
> There could be some weird side-effects. The certificate subject base
> is not changable post-install so you could end up issuing certs with
> the subject of the old realm.
> rob

There is a set of tickets to be able to change the chaining and rename
the root CA. Once this is available I guess we would need to call that
too to change the subject and chaining.

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to