Thanks Martin. Would upgrading both servers to 7.1 and then attempting a backup and restore from the CA-less replica to the new master be a safe option? Would this work better?
On Tue, May 26, 2015, 8:14 AM Martin Kosek <mko...@redhat.com> wrote: > On 05/26/2015 09:04 AM, Sina Owolabi wrote: > > Hi Martin > > > > I actually mean restore. It's a complicated situation... There once was a > > primary and it's CA replica. The primary got hosed and was cloned a few > years > > ago from the replica. Then the replica got hosed a few times too, saved > by the > > "primary", only now it wouldn't install a CA during replica setup. Now > the > > cloned primary got hosed (it sees itself as a clone and being a the only > CA, > > has nowhere to go to renew certs). We opted to reinstall a fresh primary > and > > now we are looking for how to copy existing data from the standing > CA-less > > replica (everything is the same, realms, DNS hosts, HBAC, sudo rules, > etc ) > > to the freshly installed CA primary. > > What do you mean by "hosed" replica? Do you know why it happened? This is > obviously something that should not happen with FreeIPA, it being the > backbone > of the infrastructure. > > This is another reason why I think you should better build your > infrastructure > on RHEL-7.1, it has more Backup&Restore options (ipa-backup, ipa-restore): > > https://www.freeipa.org/page/Backup_and_Restore > > > This would be amazing if we could or > > we'll have to setup the entire network and rules from scratch. > > I would really appreciate some example commands we could run to import > data > > into the new primary. We've already run db2bak and db2ldif on the > replica to > > export from a helpful script we found in a thread. > > I hope you can help us! > > If realms is the same, I think db2ldif and then importing the LDIF can be > very > effective in restoring the DNS, HBAC, SUDO entries. You may just need to > extract those from the LDIF and then ldapadd it to your server so that you > do > not overwrite other critical settings. > > As I wrote below, certificates or Kerberos keys cannot be that easily > migrated > and you would need to rebuild the keytabs when the services are created > (ipa-getkeytab). > > I do not have any other specific scripts or examples at hand, maybe other > users > here has something. > > Martin > > > > > > > On Tue, May 26, 2015, 7:42 AM Martin Kosek <mko...@redhat.com > > <mailto:mko...@redhat.com>> wrote: > > > > On 05/25/2015 05:46 PM, Sina Owolabi wrote: > > > Hi! > > > > > > Please how do I restore data to a freshly reinstalled IPA server > from > > > an existing CA-less replica that has had replication agreements > > > removed? > > > > By restore, you mean actually migrate? We have a pending RFE for > this: > > https://fedorahosted.org/freeipa/ticket/3656 > > > > Migration of users/groups can be done via migrate-ds command. > Migration of > > SUDO/HBAC/automount/... can be done by LDIF export and import (with > some > > changes realms, etc.). But we have no automated way how to migrate > Kerberos > > keys or certificates as the underlying keys are different. > > > > > Both servers are running rhel 6.6 with ipa-server versions 3.0.0 > > > ( For some reason the IPA servers do not upgrade beyond this > version). > > > > If you want a higher version than FreeIPA 3.0.0, please use > RHEL-7.x. RHEL-7.1 > > has FreeIPA 4.1, which is much more cooler than 3.0.0 :-) This is > what we > > recommend for new deployments anyway. > > > > > I have been searching for information from RHEL knowledgebase and > from > > > the FreeIPA site but I do not find information that exactly > matches my > > > situation. > > > > > > I am grateful for any assistance in this. > > > > > > > > > Thanks! > > > > > > > HTH, > > Martin > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project