Hi, On Thu, Sep 22, 2011 at 03:05, Sergio Gelato <[email protected]> wrote: > * Dan Scott [2011-09-21 18:33:42 -0400]: >> I'm running Fedora's FreeIPA >> >> http://freeipa.org/ >> >> and am in the process of migrating from version 1.2 to 2.1, which >> requires a re-installation of the software and migration of the user >> information. > > Is that true? Where is it documented? (I've just looked at the documentation > for v2 and all I could find about upgrading was a suggestion to set up a > test replica or two, isolate it from the production setup, then simply > upgrade using yum. Have you tried this?)
No, I haven't, because two developers confirmed that I'd need to migrate: https://www.redhat.com/archives/freeipa-users/2011-May/msg00250.html https://www.redhat.com/archives/freeipa-users/2011-May/msg00251.html Do you have a link for the mention of the yum upgrade? > If it's true, it will be a reason to steer well clear of that product. > From what I understand, the underlying KDC is MIT Kerberos, both in v1 > and in v2. It should be possible to upgrade that component in place, at > least. Well it's a little late now, we're already running this system and I imagine that a migration away from FreeIPA would be even more troublesome. The integrated LDAP schema has changed significantly, which I believe is why in-place upgrades aren't supported. > Anyway, if you really must switch realms you should at least do it the > proper way: pick some other name for the new realm, and use cross-realm > trust as needed during the migration. That's just it, the migration doesn't necessarily require a realm switch. Maybe I do need to though, to accomplish what I want. >> I have setup a new server running FreeIPA 2 and have >> configured a client to authenticate against it. Now I would like to >> allow this client to access our OpenAFS cell, which is why, I believe, >> (this may be incorrect) I need to add a principal from the new >> Kerberos server to the OpenAFS KeyFile. Then I can begin to migrate >> other clients over to the new server, and eventually remove the old >> server (re-install the new software). >> >> There may be a much easier way of accomplishing this, such as >> importing the keytab from the current server into the new one? (Just >> thought of that) :) > > You mean the KDC database? Yes, I would certainly hope so. No, I just mean the afs/EXAMPLE.COM principal, can I get *identical* principals on both the old and new servers, so that OpenAFS will authenticate against either, simultaneously. Thanks, Dan _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
