[Freeipa-users] How to backup / restore the FreeIPA server?
Hi guys, We are going to use the FreeIPA v2.2.0 (the latest one available on CentOS 6.3) and would like to know if there is a way to do a complete backup / restore of the server database for disaster recovery purposes? I have been able to successfully export the userRoot db ldif via db2ldif, make some changes, then import the ldif via ldif2db. However when I try to build a new server with the same hostname, then import the ldif, that does not work. The import is successfull, however when trying to log in to IPA web GUI, I get an error that the admin password has expired. Here is an output when tring to change the password (I have restarted krb5kdc service at this point, as it was coming up with a different error): KRB5_TRACE=/dev/stdout kinit admin [10814] 1356353589.809893: Getting initial credentials for ad...@co.yb.lmax [10814] 1356353589.871805: Sending request (176 bytes) to CO.YB.LMAX [10814] 1356353589.879177: Sending initial UDP request to dgram 10.81.10.234:88 [10814] 1356353589.09: Received answer from dgram 10.81.10.234:88 [10814] 1356353589.93: Response was not from master KDC [10814] 1356353589.888941: Received error from KDC: -1765328361/Password has expired [10814] 1356353589.888969: Retrying AS request with master KDC [10814] 1356353589.888976: Getting initial credentials for ad...@co.yb.lmax [10814] 1356353589.889033: Sending request (176 bytes) to CO.YB.LMAX (master) [10814] 1356353589.889087: Principal expired; getting changepw ticket [10814] 1356353589.889111: Getting initial credentials for ad...@co.yb.lmax [10814] 1356353589.889148: Setting initial creds service to [10814] 1356353589.889208: Sending request (174 bytes) to CO.YB.LMAX [10814] 1356353589.889516: Sending initial UDP request to dgram 10.81.10.234:88 [10814] 1356353589.901098: Received answer from dgram 10.81.10.234:88 [10814] 1356353589.901326: Response was not from master KDC [10814] 1356353589.901340: Received error from KDC: -1765328359/Additional pre-authentication required [10814] 1356353589.901596: Processing preauth types: 2, 136, 19, 133 [10814] 1356353589.901818: Selected etype info: etype aes256-cts, salt ^XEd/E2,L]'Zs), params [10814] 1356353589.901825: Received cookie: MIT Password for ad...@co.yb.lmax: [10814] 1356353596.402451: AS key obtained for encrypted timestamp: aes256-cts/78C9 [10814] 1356353596.402608: Encrypted timestamp (for 1356353596.402519): plain 301AA011180F32303132313232343132353331365AA1050203062457, encrypted 491EF490A7BFF756A7681BE9271E7925CCA41CC95916282FEFC3375FFBDC0B2A2E18B8501E81E1E14310762BC15351FE549633ABAB0CAB53 [10814] 1356353596.402627: Produced preauth for next request: 133, 2 [10814] 1356353596.402648: Sending request (269 bytes) to CO.YB.LMAX [10814] 1356353596.404303: Sending initial UDP request to dgram 10.81.10.234:88 [10814] 1356353596.447924: Received answer from dgram 10.81.10.234:88 [10814] 1356353596.448011: Response was not from master KDC [10814] 1356353596.448077: Processing preauth types: 19 [10814] 1356353596.448094: Selected etype info: etype aes256-cts, salt ^XEd/E2,L]'Zs), params [10814] 1356353596.448105: Produced preauth for next request: (empty) [10814] 1356353596.448116: AS key determined by preauth: aes256-cts/78C9 [10814] 1356353596.448295: Decrypted AS reply; session key is: aes256-cts/A68E [10814] 1356353596.448376: FAST negotiation: available [10814] 1356353596.448483: Attempting password change; 3 tries remaining Password expired. You must change it now. Enter new password: Enter it again: [10814] 1356353604.147282: Creating authenticator for ad...@co.yb.lmax - kadmin/chang...@co.yb.lmax, seqnum 0, subkey aes256-cts/E782, session key aes256-cts/A68E [10814] 1356353604.148689: Sending initial UDP request to dgram 10.81.10.234:464 [10814] 1356353604.154628: Received answer from dgram 10.81.10.234:464 kinit: Password change failed while getting initial credentials Thanks in advance for your help Viktor Mendes Systems Administrator viktor.men...@lmax.com | http://www.LMAX.com LMAX, Yellow Building, 1a Nicholas Road, London. W11 4AN FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. The information in this email is not directed at residents of the United States of America or any other jurisdiction where trading in CFDs and/or FX is restricted or prohibited by local laws or regulations. The information in this email and any attachment is confidential and is intended only for the named recipient(s). The email may not be disclosed or used by any person other than the addressee, nor may it be copied in any way. If you are not the intended recipient please notify the sender immediately and delete any copies of this message. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. LMAX operates a multilateral trading
Re: [Freeipa-users] How to backup / restore the FreeIPA server?
On 12/24/2012 08:11 AM, Viktor Mendes wrote: Hi guys, We are going to use the FreeIPA v2.2.0 (the latest one available on CentOS 6.3) and would like to know if there is a way to do a complete backup / restore of the server database for disaster recovery purposes? Please see the thread about Backup and Restore earlier this month. https://www.redhat.com/archives/freeipa-users/2012-December/msg00118.html I have been able to successfully export the userRoot db ldif via db2ldif, make some changes, then import the ldif via ldif2db. However when I try to build a new server with the same hostname, then import the ldif, that does not work. The import is successfull, however when trying to log in to IPA web GUI, I get an error that the admin password has expired. Here is an output when tring to change the password (I have restarted krb5kdc service at this point, as it was coming up with a different error): KRB5_TRACE=/dev/stdout kinit admin [10814] 1356353589.809893: Getting initial credentials for ad...@co.yb.lmax [10814] 1356353589.871805: Sending request (176 bytes) to CO.YB.LMAX [10814] 1356353589.879177: Sending initial UDP request to dgram 10.81.10.234:88 [10814] 1356353589.09: Received answer from dgram 10.81.10.234:88 [10814] 1356353589.93: Response was not from master KDC [10814] 1356353589.888941: Received error from KDC: -1765328361/Password has expired [10814] 1356353589.888969: Retrying AS request with master KDC [10814] 1356353589.888976: Getting initial credentials for ad...@co.yb.lmax [10814] 1356353589.889033: Sending request (176 bytes) to CO.YB.LMAX (master) [10814] 1356353589.889087: Principal expired; getting changepw ticket [10814] 1356353589.889111: Getting initial credentials for ad...@co.yb.lmax [10814] 1356353589.889148: Setting initial creds service to [10814] 1356353589.889208: Sending request (174 bytes) to CO.YB.LMAX [10814] 1356353589.889516: Sending initial UDP request to dgram 10.81.10.234:88 [10814] 1356353589.901098: Received answer from dgram 10.81.10.234:88 [10814] 1356353589.901326: Response was not from master KDC [10814] 1356353589.901340: Received error from KDC: -1765328359/Additional pre-authentication required [10814] 1356353589.901596: Processing preauth types: 2, 136, 19, 133 [10814] 1356353589.901818: Selected etype info: etype aes256-cts, salt ^XEd/E2,L]'Zs), params [10814] 1356353589.901825: Received cookie: MIT Password for ad...@co.yb.lmax: [10814] 1356353596.402451: AS key obtained for encrypted timestamp: aes256-cts/78C9 [10814] 1356353596.402608: Encrypted timestamp (for 1356353596.402519): plain 301AA011180F32303132313232343132353331365AA1050203062457, encrypted 491EF490A7BFF756A7681BE9271E7925CCA41CC95916282FEFC3375FFBDC0B2A2E18B8501E81E1E14310762BC15351FE549633ABAB0CAB53 [10814] 1356353596.402627: Produced preauth for next request: 133, 2 [10814] 1356353596.402648: Sending request (269 bytes) to CO.YB.LMAX [10814] 1356353596.404303: Sending initial UDP request to dgram 10.81.10.234:88 [10814] 1356353596.447924: Received answer from dgram 10.81.10.234:88 [10814] 1356353596.448011: Response was not from master KDC [10814] 1356353596.448077: Processing preauth types: 19 [10814] 1356353596.448094: Selected etype info: etype aes256-cts, salt ^XEd/E2,L]'Zs), params [10814] 1356353596.448105: Produced preauth for next request: (empty) [10814] 1356353596.448116: AS key determined by preauth: aes256-cts/78C9 [10814] 1356353596.448295: Decrypted AS reply; session key is: aes256-cts/A68E [10814] 1356353596.448376: FAST negotiation: available [10814] 1356353596.448483: Attempting password change; 3 tries remaining Password expired. You must change it now. Enter new password: Enter it again: [10814] 1356353604.147282: Creating authenticator for ad...@co.yb.lmax - kadmin/chang...@co.yb.lmax, seqnum 0, subkey aes256-cts/E782, session key aes256-cts/A68E [10814] 1356353604.148689: Sending initial UDP request to dgram 10.81.10.234:464 [10814] 1356353604.154628: Received answer from dgram 10.81.10.234:464 kinit: Password change failed while getting initial credentials Thanks in advance for your help Viktor Mendes Systems Administrator viktor.men...@lmax.com | http://www.LMAX.com LMAX, Yellow Building, 1a Nicholas Road, London. W11 4AN FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. The information in this email is not directed at residents of the United States of America or any other jurisdiction where trading in CFDs and/or FX is restricted or prohibited by local laws or regulations. The information in this email and any attachment is confidential and is intended only for the named recipient(s). The email may not be disclosed or used by any person other than the addressee, nor may it be copied in