[Freeipa-users] some problems after migrating from 3.0 to 3.3

Gianluca Cecchi gianluca.cecchi at gmail.com
Fri Dec 12 13:57:17 UTC 2014 

Hello,
I migrated a CentOS 6.6 system with IPA 3.0 to a CentOS 7.0 system with IPA
3.3.
The workflow was the one to create a replica and then decommission the old
one (that now is with services stopped) with the commands:

on old server:
 ipa-server-install --uninstall

on new server:
 ipa-replica-manage del infra.localdomain.local --force

I notice some things:
- every 5 minutes I get this
in /var/log/dirsrv/slapd-LOCALDOMAIN-LOCAL/errors of new server

[12/Dec/2014:14:29:48 +0100] slapi_ldap_bind - Error: could not send
startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)

I don't know if the error is related with the old server or anything else.
And if indeed it is a real error, as it writes Error, but there is
ambiguity in message (errno 0 and Success words). Do I have to care and fix?

- in CentOS 6.6 I had IPA with bind (9.8.2-0.23.rc1.el6_5.1), configured
with plain files:
# ll /var/named/data/*zone
-rw-r--r-- 1 root root 1244 Dec  6 14:35 /var/named/data/forward.zone
-rw-r--r-- 1 root root  912 Dec  6 14:35 /var/named/data/reverse.zone

After migration the bind configuration has been put under IPA with these
lines in named.conf:

dynamic-db "ipa" {
        library "ldap.so";
        arg "uri ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket";
        arg "base cn=dns, dc=localdomain,dc=local";
        arg "fake_mname c7server.localdomain.local.";
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "sasl_user DNS/c7server.localdomain.local";
        arg "serial_autoincrement yes";
};

It works but the old IPA server hostname (with hostname=infra)  is no more
resovable
I have that
nslookup hostname
works for every host that was previously defined inside the zone but the
previous ipa server...
(new ipa and dns server is c7server and has ip 192.168.1.81)

[root at c7server etc]# nslookup infra
Server:         192.168.1.81
Address:        192.168.1.81#53

** server can't find infra: NXDOMAIN

[root at c7server etc]# nslookup vc1
Server:         192.168.1.81
Address:        192.168.1.81#53

Name:   vc1.localdomain.local
Address: 192.168.1.92


- I have great difficulties entering in IPA web gui and so modifying dns
records from there
Many times I get the message that "your session has expired".
I put
KrbMethodK5Passwd on
in /etc/httpd/conf.d/ipa.conf but it seems it doesn't alway fix the
problem...
How to debug?

Thanks in advance
Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141212/c7edbe2f/attachment.htm>

More information about the Freeipa-users mailing list