sharmaji a via FreeIPA-users wrote: > Thanks Rob for your reply. > > In our situations, we have only left with data-only backup of our IPA server. > (For some reason, both our IPA Master and Replica server got corrupted and > are not in recoverable state.) > > So we attempted, data-only restore on Fresh Install of IPA server. We faced > issue with Kerberos and RA key miss match which we fixed. Now we stuck with > CA miss match issue. > > We suspect CA cert in local files likes NSS db, SLAPd & HTTP alias folder are > NOT matching with CA keys in LDAP, as this KEY came from data-only restore. > > So, can we remove entire exiting CA and re-create it again?
Not easily. I'm sure it's theoretically possible but given the rest of the state probably not the best approach. At this point you're in disaster recovery and it's going to be painful. To say "there be dragons" doesn't do things justice. This is likely to be a manual and iterative process until you get the data massaged just right. Whatever you do make a copy of the backup some place safe. I would not use ipa-restore to restore the data. Instead I'd extract the tarball and use dsconf ldif2db on userRoot.ldif. You'll have to make a *lot* of manual edits to the ldif before loading. I haven't attempted such a thing in many years and there is no document on what to do, how or what pitfalls you'll run into. Like I said, iterative with lots and lots of re-installs until you get it just right. Your "new" IPA install has a different Kerberos master key and CA than before. If you do the restore then you'll get the original master key. This can be good since it will preserve all the user passwords, etc. But this will break all the current keytabs. You can use kadmin to procure new ones, I think. Assuming you can get dirsrv and the KDC to start. You'll want to remove any userCertificate values from the userRoot ldif. These don't exist in the current CA. I'd run through all the certmonger requests and re-issue them all so that the latest values are stored. For any non-IPA-server certificates you'll need to re-issue them. On the new install you'll want to request the same POSIX range as used by the original server. I'm sure there's more to do, this is just a small flavor of what you're looking at. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
