On Fri, 2017-01-06 at 07:42 -0800, Ian Harding wrote:
> On 01/05/2017 07:17 AM, Rob Crittenden wrote:
> > Timothy Geier wrote:
> >> This is something I’ve looked at lately and a manual proof of concept I
> >> just did (using ideas from
> >> https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA)
> >> makes it seem theoretically possible (though it looks like, barring the
> >> migration of the kerberos master key, all enrolled hosts would need to
> >> use ipa-getkeytab to get a replacement keytab from the new server and
> >> copy it to /etc/krb5.keytab so that sssd will work properly..the
> >> alternative is re-enrollment. All other keytabs in use by other
> >> applications would have to be similarly replaced).
> > Why migrate at all?
> It is possible to get a FreeIPA installation so boogered up that it's
> just not salvageable. I'm pretty close to that right now. The
> replication model is really great but it replicates all my mistakes.
> Maybe I'm just not smart enough, but I suspect others have wished they
> could just throw in the towel and start over. I would if it were
> relatively easy, that is, if I could export and reimport users (ideally
> with passwords), hosts, groups, hbac rules, etc. I woudln't even mind
> having to re-enroll them.
My situation isn't quite there yet, but this is very close to my main
reason for wanting to do this type of migration..all of the big things
work and work well but there's too many little things that're not
fatally wrong right now but seem likely to turn into bigger issues down
the road and getting downtime to try to fix them just isn't going to
The method outlined by Mateusz Małek looks very interesting and worth
looking into..yes, definitely not trivial but doable.
> Ian Harding
> IT Director
> Brown Paper Tickets
> 1-800-838-3006 ext 7186
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project