On 18-12-18 17:50, Florence Blanc-Renaud wrote:
On 12/17/18 1:40 PM, Kees Bakker via FreeIPA-users wrote:
> Hello,
>
> I want to move my IPA master to new hardware, but IPA does not
> want to start on that new hardware.
>
> /var/log/krb5kdc.log shows:
> krb5kdc: Server error - while fetching master key K/M for realm GHS.NL
>
> And then of course the rest of FreeIPA is not working either.
>
> I've basically copied the whole disk using rsync, and tweaked
> some things like ifcfg and fstab.
>
> The rsync command needs --numeric-ids, but other than that nothing
> else is needed, I think.
> rsync -ai -x --delete --numeric-ids oldmaster:/oldroot/ /croot/
>
> Also force a relabeling for SELINUX
> touch /croot/.autorelabel
>
> It boots alright, but IPA isn't started properly.
>
> Can someone shed some light on this? Does krb5kdc depend on its hardware?
> Is there documentation how to move an IPA master to other hardware?
>
Hi,
you can have a look at the ipa-backup / ipa-restore commands [1]. The limitations are
that you need to restore on a server with the same IPA version and with the same hostname.
Yes, I looked at that document. However, I was hoping to just do a "simple"
file system copy. Well, it turned out to not be so simple.
If you have a spare machine you can also use replication, and create a replica of your
current master with all the needed services (CA, KRA, DNS if needed).
If you really need to keep the same hostname, then you will need a spare machine:
1. create serverB as a replica of serverA on your spare machine. Do not forget to promote
serverB as CA renewal master and CRL master [2].
2. decommission serverA with (on serverA) ipa-server-install --uninstall and (on serverB)
ipa-replica-manage del serverA --clean
3. provision your new hardware with hostname=serverA, install serverA as a replica of
serverB.
I would advise to keep serverB as it will provide redundancy.
This wiki [3] also explains the preferred paths depending on your situation.
I have read that document too. First I want to give it another try. If it
fails again I will follow advice described above.
Thanks for your help.