is it possible to transfer the Kerberos Master Key to the new IPA Server?

- rene

On 31.08.2016 10:57, Rene Trippen wrote:
On 25.08.2016 19:44, Rob Crittenden wrote:
Rene Trippen wrote:

I`ve got an IPA with a broken CA infrastructure (don`t know what
happened, but new clients cannot be registered)
It is even not possible to setup a new replica.

It may be fairly straightforward to getting the CA back up. How is it

I don't know how that happened exactly, we had an IPA 3.x Server, then we migrated it to another machine and upgraded to IPA 4.1, later, we upgraded (on the same machine) to IPA 4.2. The IPA Server is basically working, but when I want to register a new machine, the registration process fails with following (I think these are the relevant lines) error

2016-08-30T22:40:25Z DEBUG flushing ldap://ipa.internal.domain:389 from SchemaCache 2016-08-30T22:40:25Z DEBUG retrieving schema for SchemaCache url=ldap://ipa.internal.domain:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x375d5a8> 2016-08-30T22:40:26Z DEBUG Adding CA certificates to the IPA NSS database.
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'
2016-08-30T22:40:26Z DEBUG Process finished, return code=0
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=
2016-08-30T22:40:26Z DEBUG Starting external process
2016-08-30T22:40:26Z DEBUG args='/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-A' '-n' 'INTERNAL.DOMAIN IPA CA' '-t' 'CT,C,C'
2016-08-30T22:40:26Z DEBUG Process finished, return code=255
2016-08-30T22:40:26Z DEBUG stdout=
2016-08-30T22:40:26Z DEBUG stderr=certutil: could not add certificate to token or database: SEC_ERROR_ADDING_CERT: Error adding certificate to database.

2016-08-30T22:40:26Z ERROR Failed to add INTERNAL.DOMAIN IPA CA to the IPA NSS database.
2016-08-30T22:40:26Z ERROR Installation failed. Rolling back changes.

The client tries to add 2 certificates, but fails with the second, I think, it is because we have 2 CA certificates (one from the old IPA 3.x server and one from the new 4.x server). My current workaround is to register the client with an ipa3.x client, then I do an upgrade to the 4.x client

I've tried many ways to setup a new CA:
- tried ipa-cacert-manage renew
- tried to setup a new replica with new CA, but the setup failed with the same problems described above - tried to remove all old certificates refering to the old ipa server (but I think I failed somewhere)

My thoughts are, the CA is in a bad condition, and I spent much time in trying to fix it, with no success. And, my fears are, if I find some crude, not documented workaround for the CA problem, the problem maybe pops up at the next update. So, setting up a fresh IPA and migrating everything (except the clients), was my hope to get an IPA running without all the CA problems. Migrating the clients is not the problem, that can be done by script (spacewalk or ansible), but migrating the users is not that easy, because the users cannot be scripted :)

So, I wanted to setup a new IPA Server with new CA, and I want to move
all users with their passwords to the new IPA instance.
I`ve tried with 'ipa migrate-ds'

ipa migrate-ds --continue --bind-dn="cn=Directory Manager"
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--group-overwrite-gid --with-compat ldap://<ldapserver>

The output is OK
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.

But  the ipa/migration website is not working for me.
Anyway, is there a way to export the users with passwords? I think I
have to export some kerberos specific stuff from the old IPA?

The log file /var/log/httpd/error_log may have details on what isn't

Sorry, that was not clearly described:

The site is basically working, but when I enter the password, nothing happens in the backend (I cannot login with my user on the ipa login site).

- rene

The way to export users with passwords is the method you've already
tried. To not have to change a password at all would require the same
Kerberos master key and these are generated randomly at install time.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to