Прохоров Сергей wrote: > Hello, I have self-signed freeipa replica. The problem is that I lose my > freeipa primary server after hdd error. > Now I need to create new replication server but I can't without primary > server. I read this documentation and a lot of community correspondence > but don't find my issue: > > http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html
Ouch. This is really old. > http://www.freeipa.org/page/Howto/Promoting_a_self-signed_FreeIPA_CA I assume you can't do this because the original host is lost, right? > How can I resolve it or migrate my kerberos/ldap schema to the new > primary server? > I'm using ipa-server-3.0.0-42.el6.x86_64 from base oracle linux 6.5 > repository. > Promote is such a terrible word, I really wish I'd never used it. Every IPA master is a equal, some are just more equal than others. The key bit that distinguishes them is whether there is a CA installed. The other bit has to do with CRL generation and renewal which in your version can only be done on one host (neither of which apply to --selfsign anyway). If you installed originally using --selfsign and that initial host is gone and you have no backups you're in for some trouble. It is a single point of failure and the reason we no longer support it. The docs contain a bit of warning about that. You mention migrating. What new primary server? So I'd start digging around to see if you have the original CA private key somewhere. The end of the IPA server install would have recommending backing up cacert.p12. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project