[Freeipa-users] some problems after migrating from 3.0 to 3.3
Gianluca Cecchi
gianluca.cecchi at gmail.com
Fri Dec 12 14:37:36 UTC 2014
On Fri, Dec 12, 2014 at 3:13 PM, Martin Basti <mbasti at redhat.com> wrote:
>
> On 12/12/14 14:57, Gianluca Cecchi wrote:
>
> Hello, read inline comments.
>
> Hello,
>> I migrated a CentOS 6.6 system with IPA 3.0 to a CentOS 7.0 system with
>> IPA 3.3.
>> The workflow was the one to create a replica and then decommission the
>> old one (that now is with services stopped) with the commands:
>>
>> on old server:
>> ipa-server-install --uninstall
>>
>> on new server:
>> ipa-replica-manage del infra.localdomain.local --force
>>
>>
>> [snip]
>
>> It is not clear for me, did you use IPA DNS before upgrade, or you just
> install IPA DNS after upgrade?
I followed chapter 6 of
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
In IPA 3.0 I preconfigured DNS and then installed IPA with
# ipa-server-install
and at the end
"
....
Setup complete
Next steps:
1. You must make sure these network ports are open:
TCP Ports:
* 80, 443: HTTP/HTTPS
* 389, 636: LDAP/LDAPS
* 88, 464: kerberos
UDP Ports:
* 88, 464: kerberos
* 123: ntp
2. You can now obtain a kerberos ticket using the command: 'kinit admin'
This ticket will allow you to use the IPA tools (e.g., ipa user-add)
and the web user interface.
Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
"
When I updated to 3.3, as part of the suggested documentation I created the
replica file on old server and then used this command on new server:
# ipa-replica-install --setup-ca --ip-address=192.168.1.81 -p my_password
-w my_password -N --setup-dns --forwarder=192.168.1.254 -U
/var/lib/ipa/replica-info-c7server.localdomain.local.gpg
And this way it should automatically embed the dns part into IPA, correct?
>
> It works but the old IPA server hostname (with hostname=infra) is no
>> more resovable
>>
>
[snip]
> IMO the behavior is expected, deleting old replica 'infra', should remove
> the DNS record of replica as well
>
OK. I was able to access the web gui (this time..) and in fact the infra
entry was not present neither in forward nor in reverse zone, so I added it
and now it is ok:
[root at c7server etc]# nslookup infra
Server: 192.168.1.81
Address: 192.168.1.81#53
Name: infra.localdomain.local
Address: 192.168.1.62
> try following command to detect if there is the infra replica record in
> LDAP
>
> $ ipa dnsrecord-find localdomain.local
>
>
It now returns 22 entries and also the added one for infra hostname
[root at c7server etc]# kinit admin
Password for admin at LOCALDOMAIN.LOCAL:
[root at c7server etc]# ipa dnsrecord-find localdomain.local
Record name: @
NS record: c7server.localdomain.local.
Record name: _kerberos
TXT record: LOCALDOMAIN.LOCAL
...
Record name: infra
A record: 192.168.1.62
...
Thanks,
I will check if web UI gives again the problem I had yesterday with the
expired session message...
Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141212/3508d4fb/attachment.htm>
More information about the Freeipa-users
mailing list