[Freeipa-users] Re: ipa migrate-ds later kerberos Generic preauthentication failure while getting initial credentials

Thu, 16 Jun 2022 02:39:17 -0700 

On to, 16 kesä 2022, rui liang via FreeIPA-users wrote:

I want to migrate the old freeipa LDAP server to a new Freeipa server.
However, after using this migration scheme, I find that the old keytab
file cannot be logged in. How do I set up the old keytab file to work
properly?


You don't. None of Kerberos content is migratable this way. New
deployment would have different master keys and most likely also
different Kerberos realm.

If you don't plan to change IPA Kebreros realm, using replica approach
is better and should be used instead.



https://www.freeipa.org/page/Howto/Migration


This page explicitly states:

Users and groups can be migrated using the migrate-ds command, just like
with any other LDAP based identity management server. You just need to
make sure that FreeIPA Kerberos related attributes are not migrated as
they need to be generated again by the new FreeIPA server and it's new
Kerberos settings or keys.



echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager" 
--user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts 
--group-objectclass=posixgroup 
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
 --user-ignore-objectclass=mepOriginEntry --with-compat 
ldap://migrated.freeipa.server.test

ssh new.migrated.freeipa.server.test
Use the old keytab file
root@migration-ipa-65:/home/liangrui# kinit -kt roy.keytab roy
kinit: Generic preauthentication failure while getting initial credentials


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to