This is something I’ve looked at lately and a manual proof of concept I just 
did (using ideas from
 makes it seem theoretically possible (though it looks like, barring the 
migration of the kerberos master key, all enrolled hosts would need to use 
ipa-getkeytab to get a replacement keytab from the new server and copy it to 
/etc/krb5.keytab so that sssd will work properly..the alternative is 
re-enrollment.  All other keytabs in use by other applications would have to be 
similarly replaced).

Is something that’s coming sooner 
or later to a future version of FreeIPA?  Has anyone done a manual migration on 
a moderate-to-large setup?
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to