Re: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master
Martin Kosek wrote:
On 06/01/2015 02:19 AM, Sina Owolabi wrote:
Hi!
I am still stumbling along with this, I have had my IPA domain
destroyed and currently only a CA-less replica is left running the
network.
The existing CA-less replica is on RHEL6.6 with ipa-3.0.0.
I am trying to setup a fresh CA-master and I have exported the data in
the replica into ldif and bak folders in
/var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories.
I have copied these files and folders to the fresh install, which is
running RHEL7.1.
If I can complete an install, I plan to destroy the existing replica
and install from scratch 2 new ones just to be safe.
Please can someone direct me in properly editing the ldif file or the
bak archivedir to make it useful for the new CA master? I have already
deleted the existing replication agreements between the CA-less
replica and the lost CA master (the new fresh install is the same
hostname).
Importing data is successful, but then IPA refuses to run afterwords
with different error messages.
Thanks for any light shown my way.
Let me reiterate to see if I understood your scenario correctly:
- you had CA-powered FreeIPA infrastructure, with just one FreeIPA
server with CA service running
- the single FreeIPA+CA server was lost (I would suggest having more of
those in the future or using backup (snapshot or ipa-backup))
- you now want to install a brand new FreeIPA server and add data from
the old FreeIPA installation.
This is quite tricky, you can just add data from old FreeIPA server to
the new server - the new FreeIPA server will have different Kerberos
master key, different CA key. All this and derived data would be
invalid. If you backed up the FreeIPA+CA master, I assume the PKI could
be recreated, but it does not seem as the case.
In that case, I am afraid you would need to start a new infrastructure
and migrate old data, I put short description on how to migrate one
FreeIPA to other FreeIPA on the wiki:
https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
I guess it depends on what data you want/need to preserve from the
original IPA installation and calculate which is more time consuming:
crafting an LDIF to import or re-adding the data manually.
If you want to import from an LDIF, in general you need to:
- exclude any IPA master information (hosts, services, cn=masters,etc).
- exclude the admin user
- exclude any krbPrincipalKey values
- exclude any userCertificate values
You'll need to enable migration mode so your users can generate their
Kerberos principal keys.
Also consider the UID range. If you installed the new master using the
same range you'll probably want to modify the DNA range to mask out the
already-assigned values.
If you used the same fqdn and REALM the import is easier.
You'll also need to re-enroll every client machine and browsers will
need to re-import the CA cert. Expect conflicts.
I probably forgot some things too. It is not a super simple process
though, and requires some understanding of IPA and its data.
So like I said, possible, but it can be problematic and expect several
iterations of:
- import ldif
- test
- uninstall / reinstall
- goto import
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master
Thanks Martin, Rob,
but I think I am totally lost.. I was able to migrate-ds but I think
along the way I broke the replica. Errors I am seeing in the ipa
clients are like so:
Jun 2 16:33:11 ipaclient1 [sssd[ldap_child[27865]]]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database
Jun 2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Failed to
initialize credentials using keytab [default]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database.
Unable to create GSSAPI-encrypted LDAP connection.
Jun 2 16:33:12 ipaclient1 [sssd[ldap_child[27866]]]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database
Jun 2 16:33:57 ipaclient1 certmonger: Server failed request, will
retry: -504 (libcurl failed to execute the HTTP POST transaction.
Couldn't resolve host 'services01.mydom.com').
Jun 2 16:39:28 ipaclient1 certmonger: Server failed request, will
retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
Jun 2 16:44:59 ipaclient1 certmonger: Server failed request, will
retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Failed to
initialize credentials using keytab [default]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database.
Unable to create GSSAPI-encrypted LDAP connection.
Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29504]]]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database
Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Failed to
initialize credentials using keytab [default]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database.
Unable to create GSSAPI-encrypted LDAP connection.
Jun 2 16:48:12 ipaclient1 [sssd[ldap_child[29505]]]: Client
'host/ipaclient1.mydom@mydom.com' not found in Kerberos database
I've been editing and trying to import data from the ldif I was able
to export out of the CA-less replica. No luck so far.
On Tue, Jun 2, 2015 at 1:43 PM, Rob Crittenden rcrit...@redhat.com wrote:
Martin Kosek wrote:
On 06/01/2015 02:19 AM, Sina Owolabi wrote:
Hi!
I am still stumbling along with this, I have had my IPA domain
destroyed and currently only a CA-less replica is left running the
network.
The existing CA-less replica is on RHEL6.6 with ipa-3.0.0.
I am trying to setup a fresh CA-master and I have exported the data in
the replica into ldif and bak folders in
/var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories.
I have copied these files and folders to the fresh install, which is
running RHEL7.1.
If I can complete an install, I plan to destroy the existing replica
and install from scratch 2 new ones just to be safe.
Please can someone direct me in properly editing the ldif file or the
bak archivedir to make it useful for the new CA master? I have already
deleted the existing replication agreements between the CA-less
replica and the lost CA master (the new fresh install is the same
hostname).
Importing data is successful, but then IPA refuses to run afterwords
with different error messages.
Thanks for any light shown my way.
Let me reiterate to see if I understood your scenario correctly:
- you had CA-powered FreeIPA infrastructure, with just one FreeIPA
server with CA service running
- the single FreeIPA+CA server was lost (I would suggest having more of
those in the future or using backup (snapshot or ipa-backup))
- you now want to install a brand new FreeIPA server and add data from
the old FreeIPA installation.
This is quite tricky, you can just add data from old FreeIPA server to
the new server - the new FreeIPA server will have different Kerberos
master key, different CA key. All this and derived data would be
invalid. If you backed up the FreeIPA+CA master, I assume the PKI could
be recreated, but it does not seem as the case.
In that case, I am afraid you would need to start a new infrastructure
and migrate old data, I put short description on how to migrate one
FreeIPA to other FreeIPA on the wiki:
https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
I guess it depends on what data you want/need to preserve from the original
IPA installation and calculate which is more time consuming: crafting an
LDIF to import or re-adding the data manually.
If you want to import from an LDIF, in general you need to:
- exclude any IPA master information (hosts, services, cn=masters,etc).
- exclude the admin user
- exclude any krbPrincipalKey values
- exclude any userCertificate values
You'll need to enable migration mode so your users can generate their
Kerberos principal keys.
Also consider the UID range. If you installed the new master using the same
range you'll probably want to modify the DNA range to mask out the
already-assigned values.
If you used the
[Freeipa-users] Help Needed Sanitizing ldif and/or bak data from CA-less Replica to import into fresh CA Master
Hi!
I am still stumbling along with this, I have had my IPA domain
destroyed and currently only a CA-less replica is left running the
network.
The existing CA-less replica is on RHEL6.6 with ipa-3.0.0.
I am trying to setup a fresh CA-master and I have exported the data in
the replica into ldif and bak folders in
/var/lib/dirsrv/slapd-MYDOM-COM/{ldif,bak} directories.
I have copied these files and folders to the fresh install, which is
running RHEL7.1.
If I can complete an install, I plan to destroy the existing replica
and install from scratch 2 new ones just to be safe.
Please can someone direct me in properly editing the ldif file or the
bak archivedir to make it useful for the new CA master? I have already
deleted the existing replication agreements between the CA-less
replica and the lost CA master (the new fresh install is the same
hostname).
Importing data is successful, but then IPA refuses to run afterwords
with different error messages.
Thanks for any light shown my way.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
