Thank you for the direction Regards Angus
________________________________ From: Alexander Bokovoy <[email protected]> Sent: 04 May 2022 09:58 To: FreeIPA users list <[email protected]> Cc: Florence Blanc-Renaud <[email protected]>; Angus Clarke <[email protected]> Subject: Re: [Freeipa-users] Re: EL8 ipa upgrade / Single Level Domain On ke, 04 touko 2022, Angus Clarke via FreeIPA-users wrote: >Thanks Flo, > >Are there any options available to me to continue using my existing >FreeIPA deployment with EL8 clients and indeed to upgrade the FreeIPA >infra to 4.7+ which I believe is only available to EL8 - manipulate the >current single level domain/realm perhaps? > >Or am I faced with replacing the whole deployment with a fresh FreeIPA >install using a permitted domain/realm? The latter is the case, unfortunately. Manipulating domain/realm would not be easy because Kerberos realm details are everywhere. Your LDAP database suffix embeds it as well, as dc=single-label, that one is hard to change. Kerberos realm is baked into all principals. > >I suppose the latter involves a large amount of work in >exporting/importing users/groups/hbac/automember/sudo/<other> >configurations and then having to re-register all of our existing >clients (we have many) to the new infra. It might be possible to migrate, kind of. I haven't tried that myself. If you'd export LDAP data and modify LDAP suffix (dc=single-label -> dc=new,dc=domain), modify all principals to use new realm, and all other objects to use new domain, then do a data-only backup from the new install, replace LDIF file in it with the modified version, re-import that backup, then manually re-generate keytabs using LDAPI URI in ipa-getkeytab (as root on IPA master this will allow you to be a cn=Directory Manager), then it might work. I am not detailing the process because a) I have not tried that, b) it is easy to break. But I think it could be possible at least theoretically: - your Kerberos master key would stay the same as part of the import so you would be able to decrypt old Kerberos keys for old principals - your user Kerberos principals use random salt, so they should not depend on the realm value - keytab files have to be rebuilt because they do have the Kerberos principal name recorded in them, so they'd be issued into 'old' realm All the users/groups/HBAC/sudo rules metadata is the same, it only differs by the DN which is now ending in a different suffix which could be fixed with LDIF replacement. Restoring backup from the data would force wiping the 'new' deployment content. You need this because you certainly want to keep old ID ranges, DNA ranges, SIDs and other per-deployment settings. Again, this is a theory. I haven't tried that myself. > >Thanks >Angus >________________________________ >From: Florence Blanc-Renaud via FreeIPA-users ><[email protected]> >Sent: 03 May 2022 13:37 >To: FreeIPA users list <[email protected]> >Cc: Angus Clarke <[email protected]>; Florence Blanc-Renaud <[email protected]> >Subject: [Freeipa-users] Re: EL8 ipa upgrade / Single Level Domain > >Hi, > > >On Tue, May 3, 2022 at 11:59 AM Angus Clarke via FreeIPA-users ><[email protected]<mailto:[email protected]>> > wrote: >Hello > >We installed our IPA servers back in EL7.2 days and deployed with a single >level domain and matching (uppercased) realm. Through various upgrades we are >now at EL7.9 and are aware that the ipa-client-install command has become >finickity about single level domains however thus far we have been able to >continue joining EL7 clients. > >I've setup my test environment similarly and have been unsuccessful in trying >to upgrade (join new and replace old) these EL7 Freeipa servers to EL8, the >ipa-client-install on EL8 skips the single level domain so I'm a bit stuck. > >Is there a way around this in EL8? > >As you saw, the installation of single-label domain is forbidden since >ipa-4.6.5-1.el7, but the upgrade from older versions is still allowed. >Regarding the client, the installation in a single-label IPA domain is >possible only with IPA 4.6.x clients (see >https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.redhat.com%2Fshow_bug.cgi%3Fid%3D1745108&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JBG6U9ZR7vwsXmUtdSxPl%2B7KjZHcWJPA%2FPyoCJdP4dk%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.redhat.com%2Fshow_bug.cgi%3Fid%3D1745108&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JBG6U9ZR7vwsXmUtdSxPl%2B7KjZHcWJPA%2FPyoCJdP4dk%3D&reserved=0>). > It was a deliberate choice to allow RHEL7 clients but stop supporting this >type of deployment with RHEL8+. So no workaround with RHEL8... > >Hope this clarifies, >flo > >EL7 ipa server (ipatest1): >ipa-server-4.6.8-5.0.1.el7_9.10.x86_64 > >EL8 (ipatest2): >ipa-server-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64 > > >[root@ipatest2 ~]# ipa-replica-install --setup-ca --ip-address 192.168.180.141 >--password=Password1234 --principal=admin --setup-dns >--forwarder=192.168.180.100 >Configuring client side components >This program will set up IPA client. >Version 4.9.6 > >Unable to discover domain, not provided on command line >The ipa-client-install command failed. See /var/log/ipaclient-install.log for >more information >Removing client side components >IPA client is not configured on this system. >The ipa-client-install command failed. > >Your system may be partly configured. >Run /usr/sbin/ipa-server-install --uninstall to clean up. > >Configuration of client side components failed! >The ipa-replica-install command failed. See /var/log/ipareplica-install.log >for more information > > >[root@ipatest2 ~]# less /var/log/ipaclient-install.log ><-- snip >2022-05-03T08:53:10Z DEBUG [IPA Discovery] >2022-05-03T08:53:10Z DEBUG Starting IPA discovery with domain=None, >servers=None, hostname=ipatest2.int.test >2022-05-03T08:53:10Z DEBUG Start searching for LDAP SRV record in "int.test" >(domain of the hostname) and its sub-d >omains >2022-05-03T08:53:10Z DEBUG Search DNS for SRV record of _ldap._tcp.int.test >2022-05-03T08:53:10Z DEBUG DNS record not found: NXDOMAIN >2022-05-03T08:53:10Z DEBUG Search DNS for SRV record of _ldap._tcp.test >2022-05-03T08:53:10Z DEBUG DNS record found: 0 100 389 ipatest1.int.test. >2022-05-03T08:53:10Z DEBUG [Kerberos realm search] >2022-05-03T08:53:10Z DEBUG Search DNS for TXT record of _kerberos.test >2022-05-03T08:53:10Z DEBUG DNS record found: "TEST" >2022-05-03T08:53:10Z DEBUG Skipping invalid realm 'TEST' (single label realms >are not supported) >2022-05-03T08:53:10Z DEBUG Search DNS for SRV record of _kerberos._udp.test >2022-05-03T08:53:10Z DEBUG DNS record found: 0 100 88 ipatest1.int.test. >2022-05-03T08:53:10Z DEBUG [LDAP server check] >2022-05-03T08:53:10Z DEBUG Verifying that ipatest1.int.test (realm None) is an >IPA server >2022-05-03T08:53:10Z DEBUG Init LDAP connection to: >ldap://ipatest1.int.test:389 >2022-05-03T08:53:10Z DEBUG Search LDAP server for IPA base DN >2022-05-03T08:53:10Z DEBUG Check if naming context 'dc=test' is for IPA >2022-05-03T08:53:10Z DEBUG Naming context 'dc=test' is a valid IPA context >2022-05-03T08:53:10Z DEBUG Search for (objectClass=krbRealmContainer) in >dc=test (sub) >2022-05-03T08:53:10Z DEBUG Found: cn=TEST,cn=kerberos,dc=test >2022-05-03T08:53:10Z DEBUG Skipping invalid realm 'TEST' (single label realms >are not supported) >2022-05-03T08:53:10Z DEBUG Discovery result: NOT_IPA_SERVER; server=None, >domain=test, kdc=ipatest1.int.test, bas >edn=dc=test >2022-05-03T08:53:10Z DEBUG Validated servers: >2022-05-03T08:53:10Z DEBUG No IPA server found ><-- snip > > >Thanks >Angus >_______________________________________________ >FreeIPA-users mailing list -- >[email protected]<mailto:[email protected]> >To unsubscribe send an email to >[email protected]<mailto:[email protected]> >Fedora Code of Conduct: >https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyeoZa1%2F1B%2F6wgj7eAM3x4M34NqNqxWwWC6ZUNo7w3U%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=XyeoZa1%2F1B%2F6wgj7eAM3x4M34NqNqxWwWC6ZUNo7w3U%3D&reserved=0> >List Guidelines: >https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KJ4VpyZLnctkgWv5boR26jyAgMG95IWw6Naq%2BeRM%2Fe8%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KJ4VpyZLnctkgWv5boR26jyAgMG95IWw6Naq%2BeRM%2Fe8%3D&reserved=0> >List Archives: >https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QD7C774A5YZVQjpmzmE%2Bm6lWym85Go9miK5VVKMg9Js%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=QD7C774A5YZVQjpmzmE%2Bm6lWym85Go9miK5VVKMg9Js%3D&reserved=0> >Do not reply to spam on the list, report it: >https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IRLAg6D%2Bh7%2B8iM3ZofR%2FNTVz7ZzYzVtuZjTHOzGxxWM%3D&reserved=0<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=05%7C01%7C%7C9f9643c899514ea1e4e808da2da3eae9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637872479282454342%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IRLAg6D%2Bh7%2B8iM3ZofR%2FNTVz7ZzYzVtuZjTHOzGxxWM%3D&reserved=0> -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
