On 01/20/2014 11:12 AM, Rob Crittenden wrote: > Petr Spacek wrote: >> On 20.1.2014 12:27, Petr Spacek wrote: >>> On 20.1.2014 09:21, Martin Kosek wrote: >>>> On 01/17/2014 11:06 PM, Dmitri Pal wrote: >>>>> On 01/17/2014 03:59 PM, Rob Crittenden wrote: >>>>>> Les Stott wrote: >>>>>>>> The first time your migrated production users authenticate with >>>>>>>> their >>>>>>>> password their Kerberos credentials will be generated. >>>>>>> >>>>>>> Is there a way to avoid this? >>>>>>> >>>>>>> I had to do that for importing shadow files originally in DR. now, >>>>>>> i'm going from freeipa to freeipa. if i export kerberos attributes >>>>>>> will that avoid users having to regenerate the kerberos >>>>>>> credentials? >>>>>> >>>>>> No. The kerberos master keys are different. >>>>> >>>>> Unless you want to copy master keys over. >>>>> This is a complex manual procedure. You can probably find it in the >>>>> archives as we helped people with it couple times but it is not >>>>> recommended. >>>>> >>>>> May be we should open an RFE to develop a tool that would do >>>>> ipa-migrate-ipa and can be used to move data from POC to production. >>>> >>>> We have a RFE open for that feature already: >>>> >>>> https://fedorahosted.org/freeipa/ticket/3656 >>>> >>>> I added a reference to this discussion on the list. Contributions or >>>> other >>>> ideas are very welcome! >>> >>> It sounds like creating a new replica and then disconnecting the new >>> replica >>> from the old replica. >>> >>> This procedure will copy all keys etc., so be sure you understand >>> security >>> implications for your environment! (Who can get root access to old >>> environment? Who can get root access to the new environment? What will >>> you do >>> if one of them was compromised...?) >> >> I should clarify this: >> >> May be that we could provide a tool for FreeIPA domain rename, so you >> can create replica, disconnect the replica and then rename the FreeIPA >> domain to something else (renaming would include master-key regeneration >> etc.). >> >> This solves two problems at once: >> - FreeIPA-to-FreeIPA migration >> - FreeIPA domain renaming >> > > There could be some weird side-effects. The certificate subject base > is not changable post-install so you could end up issuing certs with > the subject of the old realm. > > rob
There is a set of tickets to be able to change the chaining and rename the root CA. Once this is available I guess we would need to call that too to change the subject and chaining. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
