On 04/16/2012 03:13 PM, KodaK wrote: > Hi, > > I have googled around a bit, but I still have a couple of questions: > > 1) is it possible to get "getent shadow" to return shadow entries from > the ipa server? This is so we can do a DR test on some server or set > of servers without also having to restore the IPA server first. I can > do a "getent passwd" easily enough, and I could rebuild the shadow > file for local users, so it's not critical, but it would be a "nice to > have" in the case of a DR. Please use SSSD on the client. It will do all the caching for you. If the connection is lost to the central server the client will continue to operate and authenticate users that logged in previously at least once. There is no need to create shadow files on the client in this case. Shadow is a mistake of the past that should not be used when there are are other much more secure technologies available now.
> 2) What is everyone else doing to prepare IPA for a DR? I've read > that the best way to do it is to turn off the IPA services on a > replica and then back that replica up. I also read that this will > miss some important files that only exist on the master. That is the case when you use selfsigned cert but the preferred and default configuration is not with the self-signed certs. It was in the past but not any more. Currently when you install IPA and then replicas there is no difference between master and replicas (if you installed CA on the replica) so picking any one and recycling is possible. You won't loose anything. > I don't want > to turn off the master server services for a DR due to failover lag. > Would it be safe to take a backup of the master while "hot", then > restore a replica, and promote it to master using the "hot" backup of > the master (just the specific CA files needed)? So turning off any server of your choice backing it up (taking a snapshot) and then re-starting it again is the simplest way of dealing with DR. But to do this make sure that the server that you plan to use for taking backup snapshots has a CA. > Thanks, > > --Jason > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
