On Tue, 22 Sep 2015, Martin Kosek wrote:
On 09/22/2015 05:06 AM, Robert Story wrote:
I've followed the migration document
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
almost to the end.
I'm at step 10, which stops everything on the old . My concern is all
the installed servers that are pointing at the old system. That host name
is hardcoded in sssd.conf all over my network, and we rely on freeIPA for
centralized user management and ssh keys.
My original system was auth.example, and the new one is auth-2.example. Is
it safe to make auth.example a CNAME to auth-2.example? Or will something
somewhere break if the ip address changes (and is pointing at a newer
version of freeIP)?
I wouldn't be too afraid of the IP address change, but rather the CNAME itself
and Kerberos authentication against the CNAME'ed old FreeIPA server. But I
think Alexander had some ideas how to make such setups working.
Yes, for this specific use case you can make auth.example a CNAME to
auth-2.example. On Kerberos level all systems will be asking for tickets
to an A record behind the CNAME, so they will get a correct ticket to
the service.
As for the clients, if you use DNS SRV records, you should be fine, even if the
original server is listed in sssd.conf - well, as long as it server list also
has "_srv_" in it which ipa-client-install adds if DNS SRV check passes.
Correct.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
