William Faulk via FreeIPA-users wrote:
> I have an IdM environment where one of the replicas stopped replicating out. 
> A number of clients were enrolled into this replica. They are currently 
> working fine, since they're basically only ever talking to that replica. But 
> I need to fix that replica, and the only feasible solution at this point 
> seems to be a re-initialization. But that means that these clients' 
> enrollments will disappear.
> 
> Is there any way to get a client in this state to re-enroll into a different 
> replica that doesn't yet know about it, in such a way that it won't have an 
> interruption in the IdM services it consumes? I only have four systems in 
> this state, so I can reasonably make manual changes to support this, as long 
> as they won't be snowflakes in the long term.
> 

It depends on how the clients are configured. Do they have their own
IPA-defined services? Have certificates been issued for the client? Are
there machine-specific sudo or HBAC rules?

If not then uninstall and re-install of the client should do it. You'll
probably want to pass --server to ipa-client-install to point to any of
the existing servers (or your preference).

After re-install it should work fine. It might be initially slightly
slower as SSSD will re-download sudo and HBAC rules.

If you do have client-specific services/certs/rules you'll need to
carefully note what they are. You'll have to manually re-create them on
the new server.

Note that since there is a separate replication agreement for PKI it's
possible that any certificates you've issued do exist on all the other
IPA servers so there maybe nothing to do there. I'd probably make a
backup or at least know what serial numbers they are so if they go away
or are otherwise broken you can revoke the old ones and issue new ones.

rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to