Dan Scott wrote:
Hi,
Thanks for all the replies.
On Wed, May 25, 2011 at 18:13, Rob Crittenden<rcrit...@redhat.com> wrote:
I have a FreeIPA 1.2.1 system (1 master and 1 replica server) running
on Fedora 14. I'd like to migrate to FreeIPA 2, now that Fedora 15 has
been released. But I have a few questions:
1. Can Fedora 15 clients authenticate against my FreeIPA 1 servers?
Yes but you would have to configure it yourself. sssd would work nicely with
an ldap/krb5 configuration.
I've set up a Fedora 15 VM and have successfully configured it to
authenticate against my FreeIPA 1 servers, so this is good. One small
problem was that I couldn't get passwordless ssh logins *to* the F15
system working. I created and installed a host keytab, same as for all
the other systems, but no luck. I was able to ssh *from* the F15
system without a password however. Any ideas?
Are any errors reported on either side? You can test the host principal
with something like:
# kinit -kt /etc/krb5.keytab host/ipa.example....@example.com
3. Can I migrate the servers from FreeIPA 1 to 2 (presumably requiring
an upgrade from Fedora 14 to 15 along the way).
You cannot do a straight upgrade, too much changed between the two versions.
You should be able to migrate the users and groups using the v2 migration
system. This will maintain your user passwords at least. You would need to
generate new principals and keytabs for your kerberized services.
I've setup a Fedora 15 VM and installed the FreeIPA server. I ran the
ipa migrate-ds command provided in the documentation. All of the user
groups were migrated successfully, but none of the users were migrated
due to 'unknown object class "radiusprofile"' errors.
I've seen this post here:
https://www.redhat.com/archives/freeipa-users/2011-May/msg00282.html
but I wanted to add that I don't use any of the radius functionality
and my FreeIPA v1 installation is pretty standard, so other users
might run into this. I didn't find a bug report, but can file one if
needed?
Saw that you filed one, thanks, we'll take a look.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
