Re: [Freeipa-users] Export data
In my case DNS is not an issue, FreeIPA is integrated with existing DNS servers. The above procedure would work for migrating the user's data to a new IPA server that has a new host name. What if I would like to restore the original IPA server ? Could I repeat the above steps with the exception of #4, in which I would restore backed-up certificates and keytab files. This should avoid the need to regenerate them, no? In short how would you perform a full back-up and restore of the Primary IPA server? I understand this is not a trivial task for the IPA server and from what I've learned it is probably not fully supported in the current ver 3.x Thanks, Dimitar On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek mko...@redhat.com wrote: On 01/22/2014 06:57 PM, Petr Viktorin wrote: On 01/22/2014 06:26 PM, Dimitar Georgievski wrote: Would you use ldapmodify -f file-name-with-exported-data to import the data back to a new copy of FreeIPA? No, that generally won't work. There's more to IPA than the data in LDAP. Instead of copying data you should install the new server as a replica of the old one. That would give you FreeIPA with the same domain, realm or certificate subject name. If you want to start with different settings, I would recommend: 1) Installing new IPA server 2) Using ipa migrate-ds command to migrate users and groups 3) Use the ldapsearchldapmodify to migrate DNS (you may need to change the DN in the LDIF file to use correct SUFFIX if the realm changed) 4) For all hosts - unenroll and enroll again against the new IPA. This is needed to regenerate the new certificates or host keytab HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
Hi , In reference to the following thread, I already have an entry for AD sever in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS servers are resolving the records from the opposite side. Any other suggestionsto remove this error ? root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) Thanks Zulkifal Ahmad On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote: Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver mailto:root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver mailto:root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 Yes. The solution is: If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful. has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. SSSD 1.12 (in works) if going to be capable to work with cifs-utils instead of samba winbind thus the limitation will be lifted. My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you */ Best Regards/* // /Sahibzada .Z. Ahmad/ /System Administrator/* * Best Regards Sahibzada .Z. Ahmad System Administrator cell: 1(678)267-0265 (US) cell: 1(647)339-5434 (Canada) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
On Thu, 23 Jan 2014, Zulkifal Ahmad wrote: Hi , In reference to the following thread, I already have an entry for AD sever in the /etc/hosts file of ipaserver but the issue still remains. Both my DNS servers are resolving the records from the opposite side. Any other suggestionsto remove this error ? root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) Add 'log level = 100' to /usr/share/ipa/smb.conf.empty in [global] section and try again. You'll get SMB traffic debugging in /var/log/httpd/error_log. Adding and removing 'log level = 100' to /usr/share/ipa/smb.conf.empty does not require restarting httpd. Thanks Zulkifal Ahmad On 01/17/2014 06:29 PM, Zulkifal Ahmad wrote: Hi List , Just wanted to find out if anyone has setup an ipa-AD trust successfully, According to the instructions in the following link https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-ipa-subdomain.html everything went well until I hit the point where I had to check the samba configuration, by typing the command root@ipaserver mailto:root@ipaserver# smbclient -L ipaserver.ipaexample.com -k smbclient: command not found and similar for root@ipaserver mailto:root@ipaserver# wbinfo --online-status wbinfo: command not found I am pretty sure that the command ipa-trust-install command did install samba4 packages as dependencies, anyways I thought these packages were not necessary and went forward until I got really stuck when I typed the command . root@ipaserver mailto:root@ipaserver# ipa trust-add --type=ad adexample.com --admin Administrator --password This gave me a very cruel message ipa: ERROR: CIFS server communication error: code -1073741801, message Memory allocation error (both may be None) If its this bug https://bugzilla.redhat.com/show_bug.cgi?id=878168 Yes. The solution is: If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful. has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. SSSD 1.12 (in works) if going to be capable to work with cifs-utils instead of samba winbind thus the limitation will be lifted. My ipa server server OS : CentOS 6.5 ipa server version : 3 Active directory: server 2008 R2 Standard Thank you */ Best Regards/* // /Sahibzada .Z. Ahmad/ /System Administrator/* * Best Regards Sahibzada .Z. Ahmad System Administrator cell: 1(678)267-0265 (US) cell: 1(647)339-5434 (Canada) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users