On 01/20/2014 11:12 AM, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 20.1.2014 12:27, Petr Spacek wrote:
>>> On 20.1.2014 09:21, Martin Kosek wrote:
>>>> On 01/17/2014 11:06 PM, Dmitri Pal wrote:
>>>>> On 01/17/2014 03:59 PM, Rob Crittenden wrote:
>>>>>> Les Stott wrote:
>>>>>>>> The first time your migrated production users authenticate with
>>>>>>>> their
>>>>>>>> password their Kerberos credentials will be generated.
>>>>>>>
>>>>>>> Is there a way to avoid this?
>>>>>>>
>>>>>>> I had to do that for importing shadow files originally in DR. now,
>>>>>>> i'm going from freeipa to freeipa. if i export kerberos attributes
>>>>>>> will that avoid users having to regenerate the kerberos
>>>>>>> credentials?
>>>>>>
>>>>>> No. The kerberos master keys are different.
>>>>>
>>>>> Unless you want to copy master keys over.
>>>>> This is a complex manual procedure. You can probably find it in the
>>>>> archives as we helped people with it couple times but it is not
>>>>> recommended.
>>>>>
>>>>> May be we should open an RFE to develop a tool that would do
>>>>> ipa-migrate-ipa and can be used to move data from POC to production.
>>>>
>>>> We have a RFE open for that feature already:
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3656
>>>>
>>>> I added a reference to this discussion on the list. Contributions or
>>>> other
>>>> ideas are very welcome!
>>>
>>> It sounds like creating a new replica and then disconnecting the new
>>> replica
>>> from the old replica.
>>>
>>> This procedure will copy all keys etc., so be sure you understand
>>> security
>>> implications for your environment! (Who can get root access to old
>>> environment? Who can get root access to the new environment? What will
>>> you do
>>> if one of them was compromised...?)
>>
>> I should clarify this:
>>
>> May be that we could provide a tool for FreeIPA domain rename, so you
>> can create replica, disconnect the replica and then rename the FreeIPA
>> domain to something else (renaming would include master-key regeneration
>> etc.).
>>
>> This solves two problems at once:
>> - FreeIPA-to-FreeIPA migration
>> - FreeIPA domain renaming
>>
>
> There could be some weird side-effects. The certificate subject base
> is not changable post-install so you could end up issuing certs with
> the subject of the old realm.
>
> rob

There is a set of tickets to be able to change the chaining and rename
the root CA. Once this is available I guess we would need to call that
too to change the subject and chaining.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to