On 07/14/2016 07:13 AM, Grant Wu wrote: > Hi all, > > I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has been a > pain point for quite some time. I've heard that FreeIPA might be a solution > worth exploring. > > I would like to try to avoid user visible disruption if possible, however. > This > means that we would like to keep our Kerberos realm name, keep AFS > cross-realm > authentication working, etc. UIDs remaining the same would be good; I'd have > to > think about
Users and groups can be migrated by `ipa migrate-ds` command. It allows you to keep UIDs and GIDs but one must make sure that IPA servers are configured to issue new UIDs and GIDs which doesn't overlap with the migrated ones. There are options in ipa-server-install and ipa-replica-manage tools for that. This can be evaluated in an isolated network against a clone of your LDAP server. Cross realm trust with AFS is a challenge though. IPA now supports only cross realm trust with Active Directory. Trusts with other general KDCs are not yet supported. Other migration challenge might be migration of services. It is not done by the above mentioned `ipa migrate-ds`. When the service accounts are added to IPA, you would have to obtain new keytabs for the services. > > Essentially all of our clients are various flavors of Debian; mostly Jessie > (we > have an unfortunate number of older machines that I hope to upgrade soon). A possibility is to use SSSD as client on Debian. > > Has anyone done something like this before? Anyone have any ideas what the > migration path would look like or whether this is even possible? > > Thanks, > > Grant Wu > [email protected] <mailto:[email protected]> > -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
