sharmaji a via FreeIPA-users wrote:
Thanks Rob for your reply.
In our situations, we have only left with data-only backup of our IPA server. (For some
reason, both our IPA Master and Replica server got corrupted and are not in recoverable
state.)
So we attempted, data-only restore on Fresh Install of IPA server. We faced issue with
Kerberos and RA key miss match which we fixed. Now we stuck with CA miss match issue.
We suspect CA cert in local files likes NSS db, SLAPd & HTTP alias folder are NOT
matching with CA keys in LDAP, as this KEY came from data-only restore.
So, can we remove entire exiting CA and re-create it again?
Not easily. I'm sure it's theoretically possible but given the rest of
the state probably not the best approach.
At this point you're in disaster recovery and it's going to be painful.
To say "there be dragons" doesn't do things justice.
This is likely to be a manual and iterative process until you get the
data massaged just right.
Whatever you do make a copy of the backup some place safe. I would not
use ipa-restore to restore the data. Instead I'd extract the tarball and
use dsconf ldif2db on userRoot.ldif.
You'll have to make a *lot* of manual edits to the ldif before loading.
I haven't attempted such a thing in many years and there is no document
on what to do, how or what pitfalls you'll run into. Like I said,
iterative with lots and lots of re-installs until you get it just right.
Your "new" IPA install has a different Kerberos master key and CA than
before. If you do the restore then you'll get the original master key.
This can be good since it will preserve all the user passwords, etc.
But this will break all the current keytabs. You can use kadmin to
procure new ones, I think. Assuming you can get dirsrv and the KDC to start.
You'll want to remove any userCertificate values from the userRoot ldif.
These don't exist in the current CA. I'd run through all the certmonger
requests and re-issue them all so that the latest values are stored.
For any non-IPA-server certificates you'll need to re-issue them.
On the new install you'll want to request the same POSIX range as used
by the original server.
I'm sure there's more to do, this is just a small flavor of what you're
looking at.
rob