Unless we can preserve the kerberos keys and certs and migrate them to the new system. Thsi would generally mean that we carry over all the master keys and certs too.

Simo had worked out a way to preserve the Kerberos master key long ago. I'm not sure if it is still applicable today.

My thought was that you end up with a new Kerberos master key and a new CA, which means that all migrated principals need new keytabs, and certificates are excluded from the migration.

Related discussion: http://www.redhat.com/archives/freeipa-users/2014-January/msg00243.html

From Pter Spacek:

May be that we could provide a tool for FreeIPA domain rename, so you can create replica, disconnect the replica and then rename the FreeIPA domain to something else (renaming would include master-key regeneration etc.).

This solves two problems at once:

• FreeIPA-to-FreeIPA migration
• FreeIPA domain renaming

Related ticket solving migration from Kerberos realm: #4285.

There is an existing thesis topic proposal for this RFE: ​https://thesis-managementsystem.rhcloud.com/topic/show/215/freeipa-to-freeipa-migration

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1301664

Additional user stories:

As an IPA administrator I want to migrate IPA from dev/staging environment to production environment.

As an IPA administrator I want to migrate from one operating system to another. I.e. Fedora/CentOS to RHEL.

Issue linked to bug 1465917

master:

• d4859db Design for IPA-to-IPA migration

master:

• 5c86141 Issue 3656 - Extend schema function to return MAY or MUST attrs

ipa-4-11:

• 6dc987a Issue 3656 - Extend schema function to return MAY or MUST attrs

master:

• cbe1873 IPA-to-IPA migration tool (beta)