[Freeipa-users] Upgrading from 3.0.0 CentOS6 to 4.2.3 CentOS7

Wed Jan 27 07:24:27 UTC 2016

On 01/26/2016 09:45 PM, Ash Alam wrote:
> I didnt want to dig up an old thread but i am running into this issue. The
> old thread points to Pki 10.2.6 as the solution but i am not seeing that
> package on centos 7.2.
> 
> STDERR: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
> configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
> '/tmp/tmpHfdvFD'' returned non-zero exit status 1

CCing David and Endi, they might have an idea what is wrong. There were several
recent fixes, to again fix RHEL-6 to RHEL-7 migration, we would need to check
if you have them installed. As for your RHEL-6 IPA setup, is it running with
External CA, i.e. IPA CA with being signed with other CA?

> 
> On Tue, Jan 26, 2016 at 12:14 PM, Ash Alam <aalam at paperlesspost.com> wrote:
> 
>> thank you! Out of curiosity has anyone been able to automate this using
>> chef/puppet etc?
>>
>> On Tue, Jan 26, 2016 at 10:56 AM, Martin Kosek <mkosek at redhat.com> wrote:
>>
>>> Did you follow the instructions in the error message? There is also a
>>> longer
>>> description here:
>>>
>>>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc
>>>
>>> Martin
>>>
>>> On 01/26/2016 04:38 PM, Ash Alam wrote:
>>>> I wanted to follow up on this as i finally gotten around to doing the
>>>> upgrade. I an running into this error. I also found a bugzilla ticket.
>>> Do
>>>> you have to do some type of schema upgrade like you do with active
>>>> directory?
>>>>
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1235766
>>>>
>>>>     STDERR: ipa         : CRITICAL The master CA directory server does
>>> not
>>>> have necessary schema. Please copy the following script to all CA
>>> masters
>>>> and run it on them: /usr/share/ipa/copy-schema-to-ca.py
>>>>
>>>>     If you are certain that this is a false positive, use
>>>> --skip-schema-check.
>>>>
>>>>     ipa.ipapython.install.cli.install_tool(Replica): ERROR    IPA schema
>>>> missing on master CA directory server
>>>>
>>>>
>>>>
>>>> Thank You
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Nov 20, 2015 at 11:13 AM, Martin Kosek <mkosek at redhat.com>
>>> wrote:
>>>>
>>>>> On 11/20/2015 04:08 PM, Ash Alam wrote:
>>>>>
>>>>>> Most of the clients in my env are centos 6.6 with ipa 3.0.0 client
>>>>>> installed. I
>>>>>> if bring up a replica on centos 7.2 with ipa 4.2.3 server and then
>>> start
>>>>>> phasing out the older 3.0.0 servers. Will the client that are still
>>>>>> running the
>>>>>> older client software still work?
>>>>>>
>>>>>
>>>>> It should, yes. It is expected that there are RHEL/CentOS-6 clients
>>> with
>>>>> RHEL-7 FreeIPA servers. The older clients just won't be able to use the
>>>>> newest features.
>>>>>
>>>>>
>>>>>> On Fri, Nov 20, 2015 at 4:31 AM, Martin Kosek <mkosek at redhat.com
>>>>>> <mailto:mkosek at redhat.com>> wrote:
>>>>>>
>>>>>>     On 11/19/2015 11:03 PM, Ash Alam wrote:
>>>>>>
>>>>>>         Hello All
>>>>>>
>>>>>>         I am looking for some advice on upgrading. Currently our
>>> FreeIPA
>>>>>>         servers are
>>>>>>         3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7.
>>> This
>>>>>>         upgrade path
>>>>>>         is not possible per IPA documentation. Minimum version
>>> required
>>>>>> is 3.3.x. I
>>>>>>         have also found that cenos6 does not provide anything past
>>> 3.0.0.
>>>>>>
>>>>>>
>>>>>>     And it won't. There are no plans in updating FreeIPA version in
>>>>>>     RHEL/CentOS-6.x, we encourage people who want the new features to
>>>>>> migrate
>>>>>>     to RHEL-7.x:
>>>>>>
>>>>>>
>>>>>>
>>> http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS
>>>>>>
>>>>>>
>>>>>>
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc
>>>>>>
>>>>>>     If you want to wait on CentOS-7.2, it should be in works now:
>>>>>>     http://seven.centos.org/2015/11/rhel-7-2-released-today/
>>>>>>
>>>>>>         One idea is to upgrade to 3.3.x first and then upgrade to
>>> 4.2.3
>>>>>> on centos7.
>>>>>>         This is harder since centos does not provide this. The other
>>>>>> issue is if
>>>>>>         3.0/3.3 client will be supported with 4.2.3 server.
>>>>>>
>>>>>>
>>>>>>     The right way is to migrate via creating replicas in
>>> RHEL/CentOS-7.x
>>>>>> and
>>>>>>     slowly deprecating RHEL/CentOS-6 ones. Detailed procedure in the
>>>>>> links above.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>
> 