There is documentation suggesting that if you add the old key table entry (with an older kvno) to the key table, existing credentials will work, but any new ones would use the new version. Is that wrong?
________________________________ From: Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> Sent: Monday, December 23, 2024 2:07 PM To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Ranbir <m3fr...@thesandhufamily.ca>; Alexander Bokovoy <aboko...@redhat.com> Subject: [Freeipa-users] Re: Migrate freeipa enrolled host to new host On Пан, 23 сне 2024, Ranbir via FreeIPA-users wrote: >Hello Everyone, > >Can I migrate a freeipa enrolled host, host.domain.tld, to a brand new >host with the same name without disrupting services that depend on >keytabs on the old host? The keytab files from the old host should just >work on the new one as long as the hostnames are exactly the same, >right? > >What I'm unsure about is how to get the new host enrolled without >overwriting the old host's kerberos "stuff" in freeipa. There is no way to achieve that without overwriting the old encryption key. ipa-client-install has option '-k' (--keytab) that allows to specify old's host keytab file to authenticate as that old host. However, after we re-enrolled with this keytab, we call 'ipa-getkeytab' with parameters that do not include '-r' (retrieve), so new host will always overwrite the host/... principal's encryption keys. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
