sharmaji a via FreeIPA-users wrote:
Hi FreeIPA team,
I'm verifying FreeIPA backup/restore process.
In our lab environment, FreeIPA 4.5.0 was running fine with single instance. I took the
backup. Shutdown the VM.
Created Fresh CentOS 7 VM and install IPA server 4.6.8 and did restore "data
only" backup. FQDN and IP address is same as old VM.
After little troubleshooting all services are working fine. I can see all users &
host - All good.
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Now from existing client side, I did ipa-client-install --uninstall. but when i do
ipa-client-install --domain
example.com --realm
EXAMPLE.COM; but getting below error:
Joining realm failed: libcurl failed to execute the HTTP POST transaction, explaining:
You are attempting to import a cert with the same issuer/serial as an existing cert, but
that is not the same cert.
I tried on fresh client but still domain joining is failing with same error.
Any suggestion?
Also someone can share good document for backup/restore process where backup is restored
on completely new & Fresh system... it will be highly appreciated.
You don't want to use data-only on a fresh install. You want to do a
full ipa-restore. The underlying installation is going to have certs,
keytabs, etc issued now with a different backend.
It is technically possible but involves stripping out any Kerberos key
material and certificates.
What is the purpose of doing this?
I'll also add that restore should be strictly reserved for catastrophic
failures. It is itself a destructive act.
rob