Timothy Geier wrote: > This is something Ive looked at lately and a manual proof of concept I > just did (using ideas from > https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA) > makes it seem theoretically possible (though it looks like, barring the > migration of the kerberos master key, all enrolled hosts would need to > use ipa-getkeytab to get a replacement keytab from the new server and > copy it to /etc/krb5.keytab so that sssd will work properly..the > alternative is re-enrollment. All other keytabs in use by other > applications would have to be similarly replaced).
Why migrate at all? > Is https://fedorahosted.org/freeipa/ticket/3656 something thats coming > sooner or later to a future version of FreeIPA? Has anyone done a > manual migration on a moderate-to-large setup? Based on where it sits now later seems more probable. I've always seen this as a way to avert catastrophe, like your only CA just died, not as a way to move between versions. So it depends on what your use case is, and if it's a good one, that could affect the timing of the work. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
