10:50 a.m.
On 12/17/18 1:40 PM, Kees Bakker via FreeIPA-users wrote:
Hello,
I want to move my IPA master to new hardware, but IPA does not
want to start on that new hardware.
/var/log/krb5kdc.log shows:
krb5kdc: Server error - while fetching master key K/M for realm GHS.NL
And then of course the rest of FreeIPA is not working either.
I've basically copied the whole disk using rsync, and tweaked
some things like ifcfg and fstab.
The rsync command needs --numeric-ids, but other than that nothing
else is needed, I think.
rsync -ai -x --delete --numeric-ids oldmaster:/oldroot/ /croot/
Also force a relabeling for SELINUX
touch /croot/.autorelabel
It boots alright, but IPA isn't started properly.
Can someone shed some light on this? Does krb5kdc depend on its hardware?
Is there documentation how to move an IPA master to other hardware?
Hi,
you can have a look at the ipa-backup / ipa-restore commands [1]. The
limitations are that you need to restore on a server with the same IPA
version and with the same hostname.
If you have a spare machine you can also use replication, and create a
replica of your current master with all the needed services (CA, KRA,
DNS if needed).
If you really need to keep the same hostname, then you will need a spare
machine:
1. create serverB as a replica of serverA on your spare machine. Do not
forget to promote serverB as CA renewal master and CRL master [2].
2. decommission serverA with (on serverA) ipa-server-install --uninstall
and (on serverB) ipa-replica-manage del serverA --clean
3. provision your new hardware with hostname=serverA, install serverA as
a replica of serverB.
I would advise to keep serverB as it will provide redundancy.
This wiki [3] also explains the preferred paths depending on your situation.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[2] https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
[3] https://www.freeipa.org/page/Backup_and_Restore