On 12/20/18 11:51 AM, Kees Bakker via FreeIPA-users wrote:
On 19-12-18 12:06, Kees Bakker via FreeIPA-users wrote:
> On 18-12-18 17:50, Florence Blanc-Renaud wrote:
> [...]
>> If you have a spare machine you can also use replication, and create a replica of
your current master with all the needed services (CA, KRA, DNS if needed).
>> If you really need to keep the same hostname, then you will need a spare
machine:
>> 1. create serverB as a replica of serverA on your spare machine. Do not forget to
promote serverB as CA renewal master and CRL master [2].
>> 2. decommission serverA with (on serverA) ipa-server-install --uninstall and (on
serverB) ipa-replica-manage del serverA --clean
>> 3. provision your new hardware with hostname=serverA, install serverA as a
replica of serverB.
>> I would advise to keep serverB as it will provide redundancy.
>>
>> This wiki [3] also explains the preferred paths depending on your situation.
> I have read that document too. First I want to give it another try. If it
> fails again I will follow advice described above.
>
> Thanks for your help.
>
>> HTH,
>> flo
>>
>>
>> [1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
>> [2]
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
>> [3]
https://www.freeipa.org/page/Backup_and_Restore
>>
Just to let you know, I have given up with my "rsync" procedure. I am now
following the steps above. Well, except step3, because I didn't want to add
even more hardware in the process (the "spare machine" mentioned above).
Step 1 is completed. Promotion of CA renewal and CRL master is done.
I have a remaining question.
What do I do with all the IPA clients that point to serverA? At some point I
want to execute step 2, and shut off that system. I briefly looked at the files
in /etc and found these (alblas is my serverA):
If your applications are using DNS to find the server, they will be
fine. But some have hardcoded values and need to be reconfigured.
/etc/sssd/sssd.conf:ipa_server = _srv_, alblas.ghs.nl
Please
have a look at the man page sssd-ipa(5), especially the SERVICE
DISCOVERY section. _srv_ means that service discovery will be used to
find a server, and if no servers can be discovered using DNS, alblas
will be used instead.
/etc/ipa/default.conf:server = alblas.ghs.nl
/etc/ipa/default.conf:xmlrpc_uri =
https://alblas.ghs.nl/ipa/xml default.conf is
used for all the ipa * commands. By defaut, the command
will start with the configured xmlrpc_uri but if it fails, it will fall
back to the _ldap._tcp. servers found in the DNS.
So if you replace alblas with the new servre hostname you will speed up
the command.
/etc/ntp.conf:server alblas.ghs.nl
/etc/ldap/ldap.conf:URI ldaps://alblas.ghs.nl
The URI is used as default if none is
provided to ldapsearch.
Do I have to visit each client and modify these files? Anything else?
Before completely removing your initial server, perform ipactl stop on
the initial server and check that the clients are still working:
# id $USER
# kinit $USER
# ipa user-find
# host `hostname`
# ipa cert-find 1
HTH,
flo