On 9/4/20 11:44 AM, Harald Dunkel via FreeIPA-users wrote:
Hi folks,
I have found several migration guidelines from Centos 7 to 8. AFAIU
the procedure is to setup a new CentOS 8 FreeIPA server, and then to
migrate the "master" from the old to the new host. See [1], for example.
Having myself burned with the CA stuff in FreeIPA before, I wonder if
there are any pitfalls wrt having an external root CA and external
DNS? Thats the part not described in [1].
Every helpful comment is highly appreciated
Harri
Hi,
if the deployment has an embedded CA, the steps are the same for
self-signed CA or externally-signed CA. The CA renewal master and CRL
generation master roles need to be transferred to the Centos 8 server,
as described in the migration chapter.
Regarding the external DNS, the NS records pointing to the Centos 7
server need to be removed and replaced with the Centos8 server. The CLI
"ipa dns-update-system-records --dry-run --out
dns_records_file.nsupdate" can help you build the list of records. You
can refer to [1] for more info on this CLI.
Depending on how the clients were installed, there may also be
additional work. If the clients were setup with autodiscovery, their
/etc/sssd/sssd.conf file defines "ipa_server= _srv_, xxx" that ensures
that the IPA server is found using DNS. In this case, nothing to do.
On the contrary, if the clients were bound to a given server, their
sssd.conf will have to be updated.
Hope this helps,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#dns-update-external-nsupdate
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
