Re: [Freeipa-users] Another CentOS 6.x to CentOS 7.1 migration question
On 09/22/2015 05:06 AM, Robert Story wrote: > I've followed the migration document > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html > almost to the end. > > I'm at step 10, which stops everything on the old . My concern is all > the installed servers that are pointing at the old system. That host name > is hardcoded in sssd.conf all over my network, and we rely on freeIPA for > centralized user management and ssh keys. > > My original system was auth.example, and the new one is auth-2.example. Is > it safe to make auth.example a CNAME to auth-2.example? Or will something > somewhere break if the ip address changes (and is pointing at a newer > version of freeIP)? I wouldn't be too afraid of the IP address change, but rather the CNAME itself and Kerberos authentication against the CNAME'ed old FreeIPA server. But I think Alexander had some ideas how to make such setups working. As for the clients, if you use DNS SRV records, you should be fine, even if the original server is listed in sssd.conf - well, as long as it server list also has "_srv_" in it which ipa-client-install adds if DNS SRV check passes. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Another CentOS 6.x to CentOS 7.1 migration question
On Tue, 22 Sep 2015, Martin Kosek wrote: On 09/22/2015 05:06 AM, Robert Story wrote: I've followed the migration document https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html almost to the end. I'm at step 10, which stops everything on the old . My concern is all the installed servers that are pointing at the old system. That host name is hardcoded in sssd.conf all over my network, and we rely on freeIPA for centralized user management and ssh keys. My original system was auth.example, and the new one is auth-2.example. Is it safe to make auth.example a CNAME to auth-2.example? Or will something somewhere break if the ip address changes (and is pointing at a newer version of freeIP)? I wouldn't be too afraid of the IP address change, but rather the CNAME itself and Kerberos authentication against the CNAME'ed old FreeIPA server. But I think Alexander had some ideas how to make such setups working. Yes, for this specific use case you can make auth.example a CNAME to auth-2.example. On Kerberos level all systems will be asking for tickets to an A record behind the CNAME, so they will get a correct ticket to the service. As for the clients, if you use DNS SRV records, you should be fine, even if the original server is listed in sssd.conf - well, as long as it server list also has "_srv_" in it which ipa-client-install adds if DNS SRV check passes. Correct. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Another CentOS 6.x to CentOS 7.1 migration question
I've followed the migration document https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html almost to the end. I'm at step 10, which stops everything on the old . My concern is all the installed servers that are pointing at the old system. That host name is hardcoded in sssd.conf all over my network, and we rely on freeIPA for centralized user management and ssh keys. My original system was auth.example, and the new one is auth-2.example. Is it safe to make auth.example a CNAME to auth-2.example? Or will something somewhere break if the ip address changes (and is pointing at a newer version of freeIP)? Robert -- Senior Software Engineer @ Parsons pgpazBmvVuR3Z.pgp Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project