<div dir="ltr">Hi Martin <div> </div><div>I am happy to provide the necessary information. What packages should i check for? As for IPA we are IPA CA being signed with other CA</div><div> </div><div>Thank You</div> </div><div class="gmail_extra"> <div class="gmail_quote">On Wed, Jan 27, 2016 at 2:24 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 01/26/2016 09:45 PM, Ash Alam wrote: > I didnt want to dig up an old thread but i am running into this issue. The > old thread points to Pki 10.2.6 as the solution but i am not seeing that > package on centos 7.2. > > STDERR: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpHfdvFD'' returned non-zero exit status 1 CCing David and Endi, they might have an idea what is wrong. There were several recent fixes, to again fix RHEL-6 to RHEL-7 migration, we would need to check if you have them installed. As for your RHEL-6 IPA setup, is it running with External CA, i.e. IPA CA with being signed with other CA? <div class="HOEnZb"><div class="h5"> > > On Tue, Jan 26, 2016 at 12:14 PM, Ash Alam <<a href="mailto:aalam@paperlesspost.com">aalam@paperlesspost.com</a>> wrote: > >> thank you! Out of curiosity has anyone been able to automate this using >> chef/puppet etc? >> >> On Tue, Jan 26, 2016 at 10:56 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>> wrote: >> >>> Did you follow the instructions in the error message? There is also a >>> longer >>> description here: >>> >>> >>> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc" rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc</a> >>> >>> Martin >>> >>> On 01/26/2016 04:38 PM, Ash Alam wrote: >>>> I wanted to follow up on this as i finally gotten around to doing the >>>> upgrade. I an running into this error. I also found a bugzilla ticket. >>> Do >>>> you have to do some type of schema upgrade like you do with active >>>> directory? >>>> >>>> <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1235766" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1235766</a> >>>> >>>> STDERR: ipa : CRITICAL The master CA directory server does >>> not >>>> have necessary schema. Please copy the following script to all CA >>> masters >>>> and run it on them: /usr/share/ipa/copy-schema-to-ca.py >>>> >>>> If you are certain that this is a false positive, use >>>> --skip-schema-check. >>>> >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA schema >>>> missing on master CA directory server >>>> >>>> >>>> >>>> Thank You >>>> >>>> >>>> >>>> >>>> On Fri, Nov 20, 2015 at 11:13 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>> >>> wrote: >>>> >>>>> On 11/20/2015 04:08 PM, Ash Alam wrote: >>>>> >>>>>> Most of the clients in my env are centos 6.6 with ipa 3.0.0 client >>>>>> installed. I >>>>>> if bring up a replica on centos 7.2 with ipa 4.2.3 server and then >>> start >>>>>> phasing out the older 3.0.0 servers. Will the client that are still >>>>>> running the >>>>>> older client software still work? >>>>>> >>>>> >>>>> It should, yes. It is expected that there are RHEL/CentOS-6 clients >>> with >>>>> RHEL-7 FreeIPA servers. The older clients just won't be able to use the >>>>> newest features. >>>>> >>>>> >>>>>> On Fri, Nov 20, 2015 at 4:31 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a> >>>>>> <mailto:<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>> wrote: >>>>>> >>>>>> On 11/19/2015 11:03 PM, Ash Alam wrote: >>>>>> >>>>>> Hello All >>>>>> >>>>>> I am looking for some advice on upgrading. Currently our >>> FreeIPA >>>>>> servers are >>>>>> 3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. >>> This >>>>>> upgrade path >>>>>> is not possible per IPA documentation. Minimum version >>> required >>>>>> is 3.3.x. I >>>>>> have also found that cenos6 does not provide anything past >>> 3.0.0. >>>>>> >>>>>> >>>>>> And it won't. There are no plans in updating FreeIPA version in >>>>>> RHEL/CentOS-6.x, we encourage people who want the new features to >>>>>> migrate >>>>>> to RHEL-7.x: >>>>>> >>>>>> >>>>>> >>> <a href="http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS" rel="noreferrer" target="_blank">http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS</a> >>>>>> >>>>>> >>>>>> >>> <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc" rel="noreferrer" target="_blank">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc</a> >>>>>> >>>>>> If you want to wait on CentOS-7.2, it should be in works now: >>>>>> <a href="http://seven.centos.org/2015/11/rhel-7-2-released-today/" rel="noreferrer" target="_blank">http://seven.centos.org/2015/11/rhel-7-2-released-today/</a> >>>>>> >>>>>> One idea is to upgrade to 3.3.x first and then upgrade to >>> 4.2.3 >>>>>> on centos7. >>>>>> This is harder since centos does not provide this. The other >>>>>> issue is if >>>>>> 3.0/3.3 client will be supported with 4.2.3 server. >>>>>> >>>>>> >>>>>> The right way is to migrate via creating replicas in >>> RHEL/CentOS-7.x >>>>>> and >>>>>> slowly deprecating RHEL/CentOS-6 ones. Detailed procedure in the >>>>>> links above. >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >> > </div></div></blockquote></div> </div>