On 05/26/2015 09:04 AM, Sina Owolabi wrote:
Hi Martin

I actually mean restore. It's a complicated situation... There once was a
primary and it's CA replica. The primary got hosed and was cloned a few years
ago from the replica. Then the replica got hosed a few times too,  saved by the
"primary",  only now it wouldn't install a CA during replica setup.  Now the
cloned primary got hosed (it sees itself as a clone and being a the only CA,
has nowhere to go to renew certs). We opted to reinstall a fresh primary and
now we are looking for how to copy existing data from the standing CA-less
replica (everything is the same,  realms,  DNS hosts, HBAC, sudo rules,  etc )
to the freshly installed CA primary.

What do you mean by "hosed" replica? Do you know why it happened? This is obviously something that should not happen with FreeIPA, it being the backbone of the infrastructure.

This is another reason why I think you should better build your infrastructure on RHEL-7.1, it has more Backup&Restore options (ipa-backup, ipa-restore):

https://www.freeipa.org/page/Backup_and_Restore

This would be amazing if we could or
we'll have to setup the entire network and rules from scratch.
I would really appreciate some example commands we could run to import data
into the new primary.  We've already run db2bak and db2ldif on the replica to
export from a helpful script we found in a thread.
I hope you can help us!

If realms is the same, I think db2ldif and then importing the LDIF can be very effective in restoring the DNS, HBAC, SUDO entries. You may just need to extract those from the LDIF and then ldapadd it to your server so that you do not overwrite other critical settings.

As I wrote below, certificates or Kerberos keys cannot be that easily migrated and you would need to rebuild the keytabs when the services are created (ipa-getkeytab).

I do not have any other specific scripts or examples at hand, maybe other users here has something.

Martin



On Tue, May 26, 2015, 7:42 AM Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>> wrote:

    On 05/25/2015 05:46 PM, Sina Owolabi wrote:
     > Hi!
     >
     > Please how do I restore data to a freshly reinstalled IPA server from
     > an existing CA-less replica that has had replication agreements
     > removed?

    By restore, you mean actually migrate? We have a pending RFE for this:
    https://fedorahosted.org/freeipa/ticket/3656

    Migration of users/groups can be done via migrate-ds command. Migration of
    SUDO/HBAC/automount/... can be done by LDIF export and import (with some
    changes realms, etc.). But we have no automated way how to migrate Kerberos
    keys or certificates as the underlying keys are different.

     > Both servers are running rhel 6.6 with ipa-server versions 3.0.0
     > ( For some reason the IPA servers do not upgrade beyond this version).

    If you want a higher version than FreeIPA 3.0.0, please use RHEL-7.x. 
RHEL-7.1
    has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is what we
    recommend for new deployments anyway.

     > I have been searching for information from RHEL knowledgebase and from
     > the FreeIPA site but I do not find information that exactly matches my
     > situation.
     >
     > I am grateful for any assistance in this.
     >
     >
     > Thanks!
     >

    HTH,
    Martin


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to