On Tue, 04 Nov 2014 13:24:53 +0100
Andreas Ladanyi <andreas.lada...@kit.edu> wrote:

> > On Mon, 13 Oct 2014 17:30:58 +0200
> > Andreas Ladanyi <andreas.lada...@kit.edu> wrote:
> >
> >> On my old system from which i migrated the users/group accounts
> >> uses the Kerberos own DB without LDAP for the principals.
> >>
> >> I could dump the master key :
> >>
> >> kdb5_util dump filename K/M@REALM
> >>
> >> Now i have a lot of numbers in the dumpfile. Which number belongs
> >> to which LDAP attribute in the (test) FreeIPA 389 LDAP System
> >> (Simon called it a throwaway system :-) )
> >>
> >> I dont know the data structure of the KRB own DB.
> > And you shouldn't really care, you should use the kdb5 utils to load
> > back the dumped DB, provided you first create all users and hosts
> > and services via the freeipa tools.
> >
> > Simo.
> 
> Ok, i dumped the kerberos DB with kdb5_util and get the dumped file
> with all principals.
> 
> So now if i unterstand you correctly, if have to create all
> users/group/service principals with the freeipa tools first ?
> 
> How can i import the dumped principals in to the 389 LDAP ? I cant
> see any options in the kdb5_ldap_util to import the principals and
> hashes from the dumped KRB DB file to 389 LDAP ?

Sorry Andreas I misremembered how it was done.
You can use kdb5_util, to import too.

In this old piece of code you can find some hints about how to use it:
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipa-admintools/ipa-change-master-key?h=ipa-1-2

This one was used to enact a change of master key, you do not need to
do that, so just look at how the import back is done around line 300.

You will also probably need to use the '-x
ipa-setup-override-restrictions' option.

Keep in mind that I have NOT tested this procedure, it may work or it
may fatally cripple your setup. At a minimum I strongly suggest you
exclude the services tied to the IPA Servers themselves. Take good
backups before attempting this.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to