On Tue, 10 Mar 2015, Benjamin Reed wrote:
On 3/10/15 9:31 AM, Alexander Bokovoy wrote:
Are you following these instructions?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html


Aha!  No.  There are so many false positives in google I had no idea
that document existed.  Pretty much everything I've found that links to
"how to migrate" takes me to this:

http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS

...which in turn pointed to this:

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html

I didn't see anything about RHEL6->RHEL7 or FreeIPA 3.0->3.3
http://www.freeipa.org/page/Documentation unless I missed it.  The 3.3
section on there is pretty much just a collection of things about new
features.  (And a presentation deck that points to that first link above...)
We have http://www.freeipa.org/page/Documentation#User_Guides and going
through user guide would be our recommended action. There is a whole
chapter 6 in RHEL7 docs for upgrades and migration.

Anyways, thank you for the link.  That makes it much clearer.

I do have one problem now. I currently have the following systems:

connect: RHEL6, FreeIPA master
auth.internal: CentOS6, FreeIPA replica
auth: CentOS7, migration target

Following the instructions you linked, I ran the copy-schema-to-ca.py
script on connect, and it completed successfully.  I then tried to run
it on auth.internal (the CentOS6 replica) and it fails with this error:

python copy-schema-to-ca.py
Traceback (most recent call last):
  File "copy-schema-to-ca.py", line 85, in <module>
    main()
  File "copy-schema-to-ca.py", line 79, in main
    add_ca_schema()
  File "copy-schema-to-ca.py", line 42, in add_ca_schema
    pki_pent = pwd.getpwnam(PKI_USER)
KeyError: 'getpwnam(): name not found: pkiuser'

...am I supposed to run this script the replica as well?  Or is
something broken on my replica?
Looks like you don't have CA installed on auth.internal so you don't
need to update CA schema there.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to