William Faulk via FreeIPA-users wrote: > I have an IdM environment where one of the replicas stopped replicating out. > A number of clients were enrolled into this replica. They are currently > working fine, since they're basically only ever talking to that replica. But > I need to fix that replica, and the only feasible solution at this point > seems to be a re-initialization. But that means that these clients' > enrollments will disappear. > > Is there any way to get a client in this state to re-enroll into a different > replica that doesn't yet know about it, in such a way that it won't have an > interruption in the IdM services it consumes? I only have four systems in > this state, so I can reasonably make manual changes to support this, as long > as they won't be snowflakes in the long term. >
It depends on how the clients are configured. Do they have their own IPA-defined services? Have certificates been issued for the client? Are there machine-specific sudo or HBAC rules? If not then uninstall and re-install of the client should do it. You'll probably want to pass --server to ipa-client-install to point to any of the existing servers (or your preference). After re-install it should work fine. It might be initially slightly slower as SSSD will re-download sudo and HBAC rules. If you do have client-specific services/certs/rules you'll need to carefully note what they are. You'll have to manually re-create them on the new server. Note that since there is a separate replication agreement for PKI it's possible that any certificates you've issued do exist on all the other IPA servers so there maybe nothing to do there. I'd probably make a backup or at least know what serial numbers they are so if they go away or are otherwise broken you can revoke the old ones and issue new ones. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue