[Freeipa-users] Upgrade/Migration steps
Rob Crittenden
rcritten at redhat.com
Fri Jun 21 13:26:36 UTC 2013
Joshua J. Kugler wrote:
> On Wednesday, June 19, 2013 16:34:31 Joshua J. Kugler wrote:
>> Check SSH connection to remote master
>> Execute check on remote master
>>
>> Remote master check failed with following error message(s):
>> bash: /usr/sbin/ipa-replica-conncheck: No such file or directory
>>
>> Connection check failed!
>> Please fix your network settings according to error messages above.
>> If the check results are not valid it can be skipped with --skip-conncheck
>> parameter.
>
> OK, so it didn't click that it was trying to run ipa-replica-conncheck on the
> other machine, and that the error message was on the other machine.
>
> But, skipping the connection check, I'm still getting this:
>
> # ipa-replica-install --setup-ca -N replica-info-ipan.lab.whamcloud.com.gpg --
> skip-conncheck
> Directory Manager (existing master) password:
>
> ipa : CRITICAL CA DS schema check failed. Make sure the PKI service on
> the remote master is operational.
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> LDAP error: PROTOCOL_ERROR
> unsupported extended operation
>
> I even brought over /etc/ipa/ca.crt file and did this:
>
> export LDAPTLS_CACERT=/etc/ipa/ca.crt; ipa-replica-install --setup-ca -N
> replica-info-ipan.lab.whamcloud.com.gpg --skip-conncheck
>
> Same error message.
>
> I'm lost. Help?
This is unrelated to passing in the CA certificate.
We'd need to see /var/log/ipareplica-install.log to see what the LDAP
error is. If you look on the remote master DS access log it may have
additional information on what was requested.
In 2.2 IPA and the CA each have separate 389-ds instances to store the
LDAP data. They are combined in 3.1 which may be what the schema error
means.
What exact version is your current master and what are you trying to
create a replica to?
rob
More information about the Freeipa-users
mailing list