Timothy Geier wrote:
> This is something I’ve looked at lately and a manual proof of concept I
> just did (using ideas from
> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA)
> makes it seem theoretically possible (though it looks like, barring the
> migration of the kerberos master key, all enrolled hosts would need to
> use ipa-getkeytab to get a replacement keytab from the new server and
> copy it to /etc/krb5.keytab so that sssd will work properly..the
> alternative is re-enrollment.  All other keytabs in use by other
> applications would have to be similarly replaced).  

Why migrate at all?

> Is https://fedorahosted.org/freeipa/ticket/3656 something that’s coming
> sooner or later to a future version of FreeIPA?  Has anyone done a
> manual migration on a moderate-to-large setup?

Based on where it sits now later seems more probable. I've always seen
this as a way to avert catastrophe, like your only CA just died, not as
a way to move between versions. So it depends on what your use case is,
and if it's a good one, that could affect the timing of the work.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to