<div dir="ltr">I wanted to follow up on this as i finally gotten around to doing the upgrade. I an running into this error. I also found a bugzilla ticket. Do you have to do some type of schema upgrade like you do with active directory?<div> </div><div><a href="https://bugzilla.redhat.com/show_bug.cgi?id=1235766">https://bugzilla.redhat.com/show_bug.cgi?id=1235766</a> <div> </div><div> STDERR: ipa : CRITICAL The master CA directory server does not have necessary schema. Please copy the following script to all CA masters and run it on them: /usr/share/ipa/copy-schema-to-ca.py If you are certain that this is a false positive, use --skip-schema-check. ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA schema missing on master CA directory server Thank You </div></div></div><div class="gmail_extra"> <div class="gmail_quote">On Fri, Nov 20, 2015 at 11:13 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 11/20/2015 04:08 PM, Ash Alam wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Most of the clients in my env are centos 6.6 with ipa 3.0.0 client installed. I if bring up a replica on centos 7.2 with ipa 4.2.3 server and then start phasing out the older 3.0.0 servers. Will the client that are still running the older client software still work? </blockquote> It should, yes. It is expected that there are RHEL/CentOS-6 clients with RHEL-7 FreeIPA servers. The older clients just won't be able to use the newest features. <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Fri, Nov 20, 2015 at 4:31 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>> wrote: On 11/19/2015 11:03 PM, Ash Alam wrote: Hello All I am looking for some advice on upgrading. Currently our FreeIPA servers are 3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. This upgrade path is not possible per IPA documentation. Minimum version required is 3.3.x. I have also found that cenos6 does not provide anything past 3.0.0. And it won't. There are no plans in updating FreeIPA version in RHEL/CentOS-6.x, we encourage people who want the new features to migrate to RHEL-7.x: <a href="http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS" rel="noreferrer" target="_blank">http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS</a> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc" rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc</a> If you want to wait on CentOS-7.2, it should be in works now: <a href="http://seven.centos.org/2015/11/rhel-7-2-released-today/" rel="noreferrer" target="_blank">http://seven.centos.org/2015/11/rhel-7-2-released-today/</a> One idea is to upgrade to 3.3.x first and then upgrade to 4.2.3 on centos7. This is harder since centos does not provide this. The other issue is if 3.0/3.3 client will be supported with 4.2.3 server. The right way is to migrate via creating replicas in RHEL/CentOS-7.x and slowly deprecating RHEL/CentOS-6 ones. Detailed procedure in the links above. </blockquote> </blockquote></div> </div>