On Пан, 23 сне 2024, Ranbir via FreeIPA-users wrote:
Hello Everyone,
Can I migrate a freeipa enrolled host, host.domain.tld, to a brand new
host with the same name without disrupting services that depend on
keytabs on the old host? The keytab files from the old host should just
work on the new one as long as the hostnames are exactly the same,
right?
What I'm unsure about is how to get the new host enrolled without
overwriting the old host's kerberos "stuff" in freeipa.
There is no way to achieve that without overwriting the old encryption
key.
ipa-client-install has option '-k' (--keytab) that allows to specify
old's host keytab file to authenticate as that old host. However, after
we re-enrolled with this keytab, we call 'ipa-getkeytab' with parameters
that do not include '-r' (retrieve), so new host will always overwrite
the host/... principal's encryption keys.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
