Re: [Freeipa-users] FreeIPA Help

[Florence Blanc-Renaud]

On 02/22/2017 04:41 AM, Daniel Schimpfoessl wrote:

Is there a way for me to export my data (users, groups, ...), rebuild
the server and import the data again?

Daniel


Hi Daniel,

please keep the mailing list in CC as the content may also benefit other 
users with similar issues.


Does anyone have suggestions in order to fix the broken CA?
Thanks,
Flo


2017-02-09 12:33 GMT-06:00 Florence Renaud mailto:fren...@redhat.com>>:

Hi Daniel,

You can try to contact the mailing list for Dogtag (the certificate
system): pki-us...@redhat.com 

If possible, state which certificates were renewed (the CA cert, or
the one used by Dogtag server/http server/ldap server), and how
(automatically by certmonger when approaching the expiration or
manually, then provide the command used).

A customer recently hit an issue when renewing the CA cert, where
the subject name in the renewed cert was encoded differently and
thus not recognised as the same identity even though using the same
private key.
https://fedorahosted.org/pki/ticket/2587


Flo.



Envoyé de mon iPad
Le 8 févr. 2017 à 19:48, Daniel Schimpfoessl
mailto:dan...@schimpfoessl.com>> a écrit :


Flo,

can you help me understand how to best get further help?
https://www.redhat.com/archives/freeipa-users/2017-January/msg00422.html


Thanks,

Daniel





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA - Help ...

[Dmitri Pal]

On 05/24/2013 01:32 PM, Loris Santamaria wrote:
> That tool would be great!
>
> For now if you are in a hurry you could dump your current domain to with
> db2ldif, change suffixes, domain name, realm name on the ldif file the
> load what you need on the new domain with ldapadd. Some extra advice:
>
>  - AFAIK you can't migrate kerberos keys, so just keep the
> krbPrincipalName of the users/services/hosts, and ignore the rest of the
> krb* attributes. Change the realm name in the krbPrincipalname
> attributes
>
>  - certs are a grey area, the old ones will still be valid, you should
> consider if you will need them or not
>
>  - Don't mess with the cn=kerberos and cn=etc containers in the new
> domain 
>
>  - You should join manually the hosts to the new domain and issue new
> services keytabs. This is the most tedious and error prone part.

Yes but this is where presumably OpenLMI + realmd should come to the rescue.
You should be able to remotely script the whole procedure and run one
script to connect to a bunch of machines make them leave the domain they
are in and then join a new domain. Should be a not more than dozen lines
of script code.
This would be possible with the latest Fedora 19 bits just FYI.

Once these projects become available we should probably create a
procedure and a script.
https://fedorahosted.org/freeipa/ticket/3657

>
>  
>
> El vie, 24-05-2013 a las 10:52 -0400, Ainsworth, Thomas escribió:
>> Fellows,
>>
>> That capability would be awesome!  Just what I need...
>>
>> Let me know if it is possible and what kind of time frame you expect
>> it to happen...
>>
>> Thanks,
>>
>> Tom 
>>
>> On Fri, May 24, 2013 at 10:18 AM, Martin Kosek 
>> wrote:
>> On 05/24/2013 03:34 PM, Simo Sorce wrote:
>> > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>> >> Greetings,
>> >>
>> >> I was told to bring my issue to this distribution.
>> >>
>> >> Six months or so ago I was tasked with setting up a
>> Kerberos/LDAP
>> >> Authentication server.  After a
>> >> month of headaches I finally got it to work - Then I
>> relaized it would
>> >> be a monster to maintain.  Then a
>> >> peer asked me to have a look at FreeIPA. Wow.  Installed it
>> - was
>> >> amazed.  Runs great.  We love it.
>> >>
>> >> ...A few days ago, I was notified I have to change my
>> domain/REALM in
>> >> FreeIPA.  I read the manual,
>> >> google searches ... crickets.  I hear crickets.  I started
>> spitting
>> >> blood in the trash can.
>> >>
>> >> I joined a forum and asked for any information, and I was
>> pointed
>> >> hereso...here goes...
>> >>
>> >>
>> >> My Current Configuration
>> >>
>> >> - We have two (2) servers.  Both are installed with
>> >> ipa-server-3.0.0-26.el6_4.2.x86_64.
>> >>   One is a replica server.
>> >>
>> >> Domain:  my.network.domain
>> >> Realm:MY.NETWORK.DOMAIN
>> >>
>> >>
>> >> New Proposed Configuration
>> >>
>> >> Domain: my.local.network.domain
>> >> Realm: MY.LOCAL.NETWORK.DOMAIN
>> >>
>> >>
>> >>
>> >> Sounds easy - but the paradox is ... the beauty of FreeIPA
>> is that it
>> >> does everything under the hood for you,
>> >> and the horror is that it does everything under the hood
>> for you!
>> >> There seem to be so many tentacles with
>> >> KERBEROS that I am afraid of jacking something up.
>> >>
>> >> Now, I have written a script that uses ipa to create all of
>> my users -
>> >> except the passwords.  So, what I was thinking
>> >> is to shut down the replica server, re-kick it, re-install
>> FreeIPA
>> >> with the new domain/REALM and then run my deploy
>> >> users script.  It would be my new master.  But then I would
>> have to
>> >> have "each" user log in and change their password.
>> >> Then take the second server and make it the replica.
>> >>
>> >> Question #1:  Is this a stupid idea  Is there a way
>> (documented or
>> >> not) that I can simply change my domain/REALM?
>> >> Am I making this too hard?
>> >>
>> >> Question #2: Is there a way to backup the users passwords
>> and then
>> >> after I re-kick, install ipa and create my users ... I
>> >>can simply "import" this information
>> into the new
>> >> ipa instance.
>> >>
>> >> Any and all suggestions are greatly appreciated...
>> >
>> > I would look at the migration pages. You can probably use
>> migration mode
>> > to migrate user data 

Re: [Freeipa-users] FreeIPA - Help ...

[Loris Santamaria]

That tool would be great!

For now if you are in a hurry you could dump your current domain to with
db2ldif, change suffixes, domain name, realm name on the ldif file the
load what you need on the new domain with ldapadd. Some extra advice:

 - AFAIK you can't migrate kerberos keys, so just keep the
krbPrincipalName of the users/services/hosts, and ignore the rest of the
krb* attributes. Change the realm name in the krbPrincipalname
attributes

 - certs are a grey area, the old ones will still be valid, you should
consider if you will need them or not

 - Don't mess with the cn=kerberos and cn=etc containers in the new
domain 

 - You should join manually the hosts to the new domain and issue new
services keytabs. This is the most tedious and error prone part.

 

El vie, 24-05-2013 a las 10:52 -0400, Ainsworth, Thomas escribió:
> Fellows,
> 
> That capability would be awesome!  Just what I need...
> 
> Let me know if it is possible and what kind of time frame you expect
> it to happen...
> 
> Thanks,
> 
> Tom 
> 
> On Fri, May 24, 2013 at 10:18 AM, Martin Kosek 
> wrote:
> On 05/24/2013 03:34 PM, Simo Sorce wrote:
> > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
> >> Greetings,
> >>
> >> I was told to bring my issue to this distribution.
> >>
> >> Six months or so ago I was tasked with setting up a
> Kerberos/LDAP
> >> Authentication server.  After a
> >> month of headaches I finally got it to work - Then I
> relaized it would
> >> be a monster to maintain.  Then a
> >> peer asked me to have a look at FreeIPA. Wow.  Installed it
> - was
> >> amazed.  Runs great.  We love it.
> >>
> >> ...A few days ago, I was notified I have to change my
> domain/REALM in
> >> FreeIPA.  I read the manual,
> >> google searches ... crickets.  I hear crickets.  I started
> spitting
> >> blood in the trash can.
> >>
> >> I joined a forum and asked for any information, and I was
> pointed
> >> hereso...here goes...
> >>
> >>
> >> My Current Configuration
> >>
> >> - We have two (2) servers.  Both are installed with
> >> ipa-server-3.0.0-26.el6_4.2.x86_64.
> >>   One is a replica server.
> >>
> >> Domain:  my.network.domain
> >> Realm:MY.NETWORK.DOMAIN
> >>
> >>
> >> New Proposed Configuration
> >>
> >> Domain: my.local.network.domain
> >> Realm: MY.LOCAL.NETWORK.DOMAIN
> >>
> >>
> >>
> >> Sounds easy - but the paradox is ... the beauty of FreeIPA
> is that it
> >> does everything under the hood for you,
> >> and the horror is that it does everything under the hood
> for you!
> >> There seem to be so many tentacles with
> >> KERBEROS that I am afraid of jacking something up.
> >>
> >> Now, I have written a script that uses ipa to create all of
> my users -
> >> except the passwords.  So, what I was thinking
> >> is to shut down the replica server, re-kick it, re-install
> FreeIPA
> >> with the new domain/REALM and then run my deploy
> >> users script.  It would be my new master.  But then I would
> have to
> >> have "each" user log in and change their password.
> >> Then take the second server and make it the replica.
> >>
> >> Question #1:  Is this a stupid idea  Is there a way
> (documented or
> >> not) that I can simply change my domain/REALM?
> >> Am I making this too hard?
> >>
> >> Question #2: Is there a way to backup the users passwords
> and then
> >> after I re-kick, install ipa and create my users ... I
> >>can simply "import" this information
> into the new
> >> ipa instance.
> >>
> >> Any and all suggestions are greatly appreciated...
> >
> > I would look at the migration pages. You can probably use
> migration mode
> > to migrate user data from one FreeIPa install to the other
> and then the
> > migration mode of sssd to validate and recompute the
> kerberos keys.
> >
> >
> > See this for some guidance:
> >
> 
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
> >
> > Simo.
> >
> 
> 
> Simo, on a side note - I am thinking, would it make sense to
> create a new
> command "ipa migrate-ipa" which would migrate data from other
> IPA installation?
> I.e. it would migrate u

Re: [Freeipa-users] FreeIPA - Help ...

[Rob Crittenden]

Sigbjorn Lie wrote:

Me too. +1 for ipa to ipa migration.


I filed a ticket to track this, https://fedorahosted.org/freeipa/ticket/3656

rob



Martin Kosek  wrote:


On 05/24/2013 03:34 PM, Simo Sorce wrote:

On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:

Greetings,

I was told to bring my issue to this distribution.

Six months or so ago I was tasked with setting up a Kerberos/LDAP
Authentication server.  After a
month of headaches I finally got it to work - Then I relaized it

would

be a monster to maintain.  Then a
peer asked me to have a look at FreeIPA. Wow.  Installed it - was
amazed.  Runs great.  We love it.

...A few days ago, I was notified I have to change my domain/REALM

in

FreeIPA.  I read the manual,
google searches ... crickets.  I hear crickets.  I started spitting
blood in the trash can.

I joined a forum and asked for any information, and I was pointed
hereso...here goes...


My Current Configuration

- We have two (2) servers.  Both are installed with
ipa-server-3.0.0-26.el6_4.2.x86_64.
   One is a replica server.

Domain:  my.network.domain
Realm:MY.NETWORK.DOMAIN


New Proposed Configuration

Domain: my.local.network.domain
Realm: MY.LOCAL.NETWORK.DOMAIN



Sounds easy - but the paradox is ... the beauty of FreeIPA is that

it

does everything under the hood for you,
and the horror is that it does everything under the hood for you!
There seem to be so many tentacles with
KERBEROS that I am afraid of jacking something up.

Now, I have written a script that uses ipa to create all of my users

-

except the passwords.  So, what I was thinking
is to shut down the replica server, re-kick it, re-install FreeIPA
with the new domain/REALM and then run my deploy
users script.  It would be my new master.  But then I would have to
have "each" user log in and change their password.
Then take the second server and make it the replica.

Question #1:  Is this a stupid idea  Is there a way (documented

or

not) that I can simply change my domain/REALM?
 Am I making this too hard?

Question #2: Is there a way to backup the users passwords and then
after I re-kick, install ipa and create my users ... I
can simply "import" this information into the new
ipa instance.

Any and all suggestions are greatly appreciated...


I would look at the migration pages. You can probably use migration

mode

to migrate user data from one FreeIPa install to the other and then

the

migration mode of sssd to validate and recompute the kerberos keys.


See this for some guidance:


https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html


Simo.



Simo, on a side note - I am thinking, would it make sense to create a
new
command "ipa migrate-ipa" which would migrate data from other IPA
installation?
I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?

I came across several user cases where creating a replica was not an
option and
migration like this would have been beneficial.

Martin
u
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA - Help ...

[Sigbjorn Lie]

Me too. +1 for ipa to ipa migration. 

Martin Kosek  wrote:

>On 05/24/2013 03:34 PM, Simo Sorce wrote:
>> On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>>> Greetings,
>>>
>>> I was told to bring my issue to this distribution.
>>>
>>> Six months or so ago I was tasked with setting up a Kerberos/LDAP
>>> Authentication server.  After a 
>>> month of headaches I finally got it to work - Then I relaized it
>would
>>> be a monster to maintain.  Then a 
>>> peer asked me to have a look at FreeIPA. Wow.  Installed it - was
>>> amazed.  Runs great.  We love it.
>>>
>>> ...A few days ago, I was notified I have to change my domain/REALM
>in
>>> FreeIPA.  I read the manual,
>>> google searches ... crickets.  I hear crickets.  I started spitting
>>> blood in the trash can.
>>>
>>> I joined a forum and asked for any information, and I was pointed
>>> hereso...here goes...
>>>
>>>
>>> My Current Configuration
>>>
>>> - We have two (2) servers.  Both are installed with
>>> ipa-server-3.0.0-26.el6_4.2.x86_64.
>>>   One is a replica server.
>>>
>>> Domain:  my.network.domain
>>> Realm:MY.NETWORK.DOMAIN
>>>
>>>
>>> New Proposed Configuration
>>>
>>> Domain: my.local.network.domain
>>> Realm: MY.LOCAL.NETWORK.DOMAIN
>>>
>>>
>>>
>>> Sounds easy - but the paradox is ... the beauty of FreeIPA is that
>it
>>> does everything under the hood for you,
>>> and the horror is that it does everything under the hood for you!
>>> There seem to be so many tentacles with 
>>> KERBEROS that I am afraid of jacking something up.  
>>>
>>> Now, I have written a script that uses ipa to create all of my users
>-
>>> except the passwords.  So, what I was thinking 
>>> is to shut down the replica server, re-kick it, re-install FreeIPA
>>> with the new domain/REALM and then run my deploy 
>>> users script.  It would be my new master.  But then I would have to
>>> have "each" user log in and change their password.  
>>> Then take the second server and make it the replica.
>>>
>>> Question #1:  Is this a stupid idea  Is there a way (documented
>or
>>> not) that I can simply change my domain/REALM?  
>>> Am I making this too hard?
>>>
>>> Question #2: Is there a way to backup the users passwords and then
>>> after I re-kick, install ipa and create my users ... I 
>>>can simply "import" this information into the new
>>> ipa instance.
>>>
>>> Any and all suggestions are greatly appreciated...
>> 
>> I would look at the migration pages. You can probably use migration
>mode
>> to migrate user data from one FreeIPa install to the other and then
>the
>> migration mode of sssd to validate and recompute the kerberos keys.
>> 
>> 
>> See this for some guidance:
>>
>https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
>> 
>> Simo.
>> 
>
>Simo, on a side note - I am thinking, would it make sense to create a
>new
>command "ipa migrate-ipa" which would migrate data from other IPA
>installation?
>I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?
>
>I came across several user cases where creating a replica was not an
>option and
>migration like this would have been beneficial.
>
>Martin
>u
>___
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA - Help ...

[Ainsworth, Thomas]

Fellows,

That capability would be awesome!  Just what I need...

Let me know if it is possible and what kind of time frame you expect it to
happen...

Thanks,

Tom

On Fri, May 24, 2013 at 10:18 AM, Martin Kosek  wrote:

> On 05/24/2013 03:34 PM, Simo Sorce wrote:
> > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
> >> Greetings,
> >>
> >> I was told to bring my issue to this distribution.
> >>
> >> Six months or so ago I was tasked with setting up a Kerberos/LDAP
> >> Authentication server.  After a
> >> month of headaches I finally got it to work - Then I relaized it would
> >> be a monster to maintain.  Then a
> >> peer asked me to have a look at FreeIPA. Wow.  Installed it - was
> >> amazed.  Runs great.  We love it.
> >>
> >> ...A few days ago, I was notified I have to change my domain/REALM in
> >> FreeIPA.  I read the manual,
> >> google searches ... crickets.  I hear crickets.  I started spitting
> >> blood in the trash can.
> >>
> >> I joined a forum and asked for any information, and I was pointed
> >> hereso...here goes...
> >>
> >>
> >> My Current Configuration
> >>
> >> - We have two (2) servers.  Both are installed with
> >> ipa-server-3.0.0-26.el6_4.2.x86_64.
> >>   One is a replica server.
> >>
> >> Domain:  my.network.domain
> >> Realm:MY.NETWORK.DOMAIN
> >>
> >>
> >> New Proposed Configuration
> >>
> >> Domain: my.local.network.domain
> >> Realm: MY.LOCAL.NETWORK.DOMAIN
> >>
> >>
> >>
> >> Sounds easy - but the paradox is ... the beauty of FreeIPA is that it
> >> does everything under the hood for you,
> >> and the horror is that it does everything under the hood for you!
> >> There seem to be so many tentacles with
> >> KERBEROS that I am afraid of jacking something up.
> >>
> >> Now, I have written a script that uses ipa to create all of my users -
> >> except the passwords.  So, what I was thinking
> >> is to shut down the replica server, re-kick it, re-install FreeIPA
> >> with the new domain/REALM and then run my deploy
> >> users script.  It would be my new master.  But then I would have to
> >> have "each" user log in and change their password.
> >> Then take the second server and make it the replica.
> >>
> >> Question #1:  Is this a stupid idea  Is there a way (documented or
> >> not) that I can simply change my domain/REALM?
> >> Am I making this too hard?
> >>
> >> Question #2: Is there a way to backup the users passwords and then
> >> after I re-kick, install ipa and create my users ... I
> >>can simply "import" this information into the new
> >> ipa instance.
> >>
> >> Any and all suggestions are greatly appreciated...
> >
> > I would look at the migration pages. You can probably use migration mode
> > to migrate user data from one FreeIPa install to the other and then the
> > migration mode of sssd to validate and recompute the kerberos keys.
> >
> >
> > See this for some guidance:
> >
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
> >
> > Simo.
> >
>
> Simo, on a side note - I am thinking, would it make sense to create a new
> command "ipa migrate-ipa" which would migrate data from other IPA
> installation?
> I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?
>
> I came across several user cases where creating a replica was not an
> option and
> migration like this would have been beneficial.
>
> Martin
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA - Help ...

[Simo Sorce]

On Fri, 2013-05-24 at 16:18 +0200, Martin Kosek wrote:
> On 05/24/2013 03:34 PM, Simo Sorce wrote:
> > On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
> >> Greetings,
> >>
> >> I was told to bring my issue to this distribution.
> >>
> >> Six months or so ago I was tasked with setting up a Kerberos/LDAP
> >> Authentication server.  After a 
> >> month of headaches I finally got it to work - Then I relaized it would
> >> be a monster to maintain.  Then a 
> >> peer asked me to have a look at FreeIPA. Wow.  Installed it - was
> >> amazed.  Runs great.  We love it.
> >>
> >> ...A few days ago, I was notified I have to change my domain/REALM in
> >> FreeIPA.  I read the manual,
> >> google searches ... crickets.  I hear crickets.  I started spitting
> >> blood in the trash can.
> >>
> >> I joined a forum and asked for any information, and I was pointed
> >> hereso...here goes...
> >>
> >>
> >> My Current Configuration
> >>
> >> - We have two (2) servers.  Both are installed with
> >> ipa-server-3.0.0-26.el6_4.2.x86_64.
> >>   One is a replica server.
> >>
> >> Domain:  my.network.domain
> >> Realm:MY.NETWORK.DOMAIN
> >>
> >>
> >> New Proposed Configuration
> >>
> >> Domain: my.local.network.domain
> >> Realm: MY.LOCAL.NETWORK.DOMAIN
> >>
> >>
> >>
> >> Sounds easy - but the paradox is ... the beauty of FreeIPA is that it
> >> does everything under the hood for you,
> >> and the horror is that it does everything under the hood for you!
> >> There seem to be so many tentacles with 
> >> KERBEROS that I am afraid of jacking something up.  
> >>
> >> Now, I have written a script that uses ipa to create all of my users -
> >> except the passwords.  So, what I was thinking 
> >> is to shut down the replica server, re-kick it, re-install FreeIPA
> >> with the new domain/REALM and then run my deploy 
> >> users script.  It would be my new master.  But then I would have to
> >> have "each" user log in and change their password.  
> >> Then take the second server and make it the replica.
> >>
> >> Question #1:  Is this a stupid idea  Is there a way (documented or
> >> not) that I can simply change my domain/REALM?  
> >> Am I making this too hard?
> >>
> >> Question #2: Is there a way to backup the users passwords and then
> >> after I re-kick, install ipa and create my users ... I 
> >>can simply "import" this information into the new
> >> ipa instance.
> >>
> >> Any and all suggestions are greatly appreciated...
> > 
> > I would look at the migration pages. You can probably use migration mode
> > to migrate user data from one FreeIPa install to the other and then the
> > migration mode of sssd to validate and recompute the kerberos keys.
> > 
> > 
> > See this for some guidance:
> > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
> > 
> > Simo.
> > 
> 
> Simo, on a side note - I am thinking, would it make sense to create a new
> command "ipa migrate-ipa" which would migrate data from other IPA 
> installation?
> I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?
> 
> I came across several user cases where creating a replica was not an option 
> and
> migration like this would have been beneficial.

I am not opposed :)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA - Help ...

[Natxo Asenjo]

On Fri, May 24, 2013 at 4:18 PM, Martin Kosek  wrote:

>
> Simo, on a side note - I am thinking, would it make sense to create a new
> command "ipa migrate-ipa" which would migrate data from other IPA
> installation?
> I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?
>
> I came across several user cases where creating a replica was not an
> option and
> migration like this would have been beneficial.
>
>
o yes, certainly. Something like the ADMT (AD migration tools) would be
incredibly helpful for mergers, acquisitions, etc.

-- 
groet,
natxo
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA - Help ...

[Anthony Messina]

On Friday, May 24, 2013 04:18:20 PM Martin Kosek wrote:
> > I would look at the migration pages. You can probably use migration mode
> > to migrate user data from one FreeIPa install to the other and then the
> > migration mode of sssd to validate and recompute the kerberos keys.
> >
> > 
> > 
> >
> > See this for some guidance:
> > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linu
> > x/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IP
> > A.html>
> > 
> >
> > Simo.
> >
> > 
> 
> Simo, on a side note - I am thinking, would it make sense to create a new
> command "ipa migrate-ipa" which would migrate data from other IPA
> installation? I.e. it would migrate users, groups, hosts, sudo, hbac,
> automount, etc?
> 
> I came across several user cases where creating a replica was not an option
> and migration like this would have been beneficial.
> 
> Martin

>From a small-time FreeIPA user's perspective, this is *exactly* what I'm 
looking for :)  Just my $0.02.  Thanks.  -A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E


signature.asc
Description: This is a digitally signed message part.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA - Help ...

[Martin Kosek]

On 05/24/2013 03:34 PM, Simo Sorce wrote:
> On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
>> Greetings,
>>
>> I was told to bring my issue to this distribution.
>>
>> Six months or so ago I was tasked with setting up a Kerberos/LDAP
>> Authentication server.  After a 
>> month of headaches I finally got it to work - Then I relaized it would
>> be a monster to maintain.  Then a 
>> peer asked me to have a look at FreeIPA. Wow.  Installed it - was
>> amazed.  Runs great.  We love it.
>>
>> ...A few days ago, I was notified I have to change my domain/REALM in
>> FreeIPA.  I read the manual,
>> google searches ... crickets.  I hear crickets.  I started spitting
>> blood in the trash can.
>>
>> I joined a forum and asked for any information, and I was pointed
>> hereso...here goes...
>>
>>
>> My Current Configuration
>>
>> - We have two (2) servers.  Both are installed with
>> ipa-server-3.0.0-26.el6_4.2.x86_64.
>>   One is a replica server.
>>
>> Domain:  my.network.domain
>> Realm:MY.NETWORK.DOMAIN
>>
>>
>> New Proposed Configuration
>>
>> Domain: my.local.network.domain
>> Realm: MY.LOCAL.NETWORK.DOMAIN
>>
>>
>>
>> Sounds easy - but the paradox is ... the beauty of FreeIPA is that it
>> does everything under the hood for you,
>> and the horror is that it does everything under the hood for you!
>> There seem to be so many tentacles with 
>> KERBEROS that I am afraid of jacking something up.  
>>
>> Now, I have written a script that uses ipa to create all of my users -
>> except the passwords.  So, what I was thinking 
>> is to shut down the replica server, re-kick it, re-install FreeIPA
>> with the new domain/REALM and then run my deploy 
>> users script.  It would be my new master.  But then I would have to
>> have "each" user log in and change their password.  
>> Then take the second server and make it the replica.
>>
>> Question #1:  Is this a stupid idea  Is there a way (documented or
>> not) that I can simply change my domain/REALM?  
>> Am I making this too hard?
>>
>> Question #2: Is there a way to backup the users passwords and then
>> after I re-kick, install ipa and create my users ... I 
>>can simply "import" this information into the new
>> ipa instance.
>>
>> Any and all suggestions are greatly appreciated...
> 
> I would look at the migration pages. You can probably use migration mode
> to migrate user data from one FreeIPa install to the other and then the
> migration mode of sssd to validate and recompute the kerberos keys.
> 
> 
> See this for some guidance:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html
> 
> Simo.
> 

Simo, on a side note - I am thinking, would it make sense to create a new
command "ipa migrate-ipa" which would migrate data from other IPA installation?
I.e. it would migrate users, groups, hosts, sudo, hbac, automount, etc?

I came across several user cases where creating a replica was not an option and
migration like this would have been beneficial.

Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] FreeIPA - Help ...

[Simo Sorce]

On Fri, 2013-05-24 at 07:44 -0400, Ainsworth, Thomas wrote:
> Greetings,
> 
> I was told to bring my issue to this distribution.
> 
> Six months or so ago I was tasked with setting up a Kerberos/LDAP
> Authentication server.  After a 
> month of headaches I finally got it to work - Then I relaized it would
> be a monster to maintain.  Then a 
> peer asked me to have a look at FreeIPA. Wow.  Installed it - was
> amazed.  Runs great.  We love it.
> 
> ...A few days ago, I was notified I have to change my domain/REALM in
> FreeIPA.  I read the manual,
> google searches ... crickets.  I hear crickets.  I started spitting
> blood in the trash can.
> 
> I joined a forum and asked for any information, and I was pointed
> hereso...here goes...
> 
> 
> My Current Configuration
> 
> - We have two (2) servers.  Both are installed with
> ipa-server-3.0.0-26.el6_4.2.x86_64.
>   One is a replica server.
> 
> Domain:  my.network.domain
> Realm:MY.NETWORK.DOMAIN
> 
> 
> New Proposed Configuration
> 
> Domain: my.local.network.domain
> Realm: MY.LOCAL.NETWORK.DOMAIN
> 
> 
> 
> Sounds easy - but the paradox is ... the beauty of FreeIPA is that it
> does everything under the hood for you,
> and the horror is that it does everything under the hood for you!
> There seem to be so many tentacles with 
> KERBEROS that I am afraid of jacking something up.  
> 
> Now, I have written a script that uses ipa to create all of my users -
> except the passwords.  So, what I was thinking 
> is to shut down the replica server, re-kick it, re-install FreeIPA
> with the new domain/REALM and then run my deploy 
> users script.  It would be my new master.  But then I would have to
> have "each" user log in and change their password.  
> Then take the second server and make it the replica.
> 
> Question #1:  Is this a stupid idea  Is there a way (documented or
> not) that I can simply change my domain/REALM?  
> Am I making this too hard?
> 
> Question #2: Is there a way to backup the users passwords and then
> after I re-kick, install ipa and create my users ... I 
>can simply "import" this information into the new
> ipa instance.
> 
> Any and all suggestions are greatly appreciated...

I would look at the migration pages. You can probably use migration mode
to migrate user data from one FreeIPa install to the other and then the
migration mode of sssd to validate and recompute the kerberos keys.


See this for some guidance:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Migrating_from_a_Directory_Server_to_IPA.html

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] FreeIPA - Help ...

[Ainsworth, Thomas]

Greetings,

I was told to bring my issue to this distribution.

Six months or so ago I was tasked with setting up a Kerberos/LDAP
Authentication server.  After a
month of headaches I finally got it to work - Then I relaized it would be a
monster to maintain.  Then a
peer asked me to have a look at *FreeIPA*. Wow.  Installed it - was amazed.
 Runs great.  We love it.

...A few days ago, I was notified I have to *change* my domain/REALM in
FreeIPA.  I read the manual,
google searches ... crickets.  I hear crickets.  I started spitting blood
in the trash can.

I joined a forum and asked for any information, and I was pointed
hereso...here goes...


*My Current Configuration*

- We have two (2) servers.  Both are installed with *
ipa-server-3.0.0-26.el6_4.2.x86_64*.
  One is a replica server.

Domain:  my.network.domain
Realm:MY.NETWORK.DOMAIN


*New Proposed Configuration*

Domain: my.local.network.domain
Realm: MY.LOCAL.NETWORK.DOMAIN



Sounds easy - but the paradox is ... the beauty of FreeIPA is that it does
everything under the hood for you,
and the horror is that it does everything under the hood for you!  There
seem to be so many tentacles with
KERBEROS that I am afraid of jacking something up.

Now, I have written a script that uses ipa to create all of my users -
except the passwords.  So, what I was thinking
is to shut down the replica server, re-kick it, re-install FreeIPA with the
new domain/REALM and then run my deploy
users script.  It would be my new master.  But then I would have to have
"each" user log in and change their password.
Then take the second server and make it the replica.

Question #1:  Is this a stupid idea  Is there a way (documented or not)
that I can simply change my domain/REALM?
Am I making this too hard?

Question #2: Is there a way to backup the users *passwords* and then after
I re-kick, install ipa and create my users ... I
   can simply "import" this information into the new ipa
instance.

*Any and all suggestions are greatly appreciated...*

tja
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users