On 09/22/2015 05:06 AM, Robert Story wrote: > I've followed the migration document > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > almost to the end. > > I'm at step 10, which stops everything on the old . My concern is all > the installed servers that are pointing at the old system. That host name > is hardcoded in sssd.conf all over my network, and we rely on freeIPA for > centralized user management and ssh keys. > > My original system was auth.example, and the new one is auth-2.example. Is > it safe to make auth.example a CNAME to auth-2.example? Or will something > somewhere break if the ip address changes (and is pointing at a newer > version of freeIP)?
I wouldn't be too afraid of the IP address change, but rather the CNAME itself and Kerberos authentication against the CNAME'ed old FreeIPA server. But I think Alexander had some ideas how to make such setups working. As for the clients, if you use DNS SRV records, you should be fine, even if the original server is listed in sssd.conf - well, as long as it server list also has "_srv_" in it which ipa-client-install adds if DNS SRV check passes. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project