On 01/26/2016 09:45 PM, Ash Alam wrote: > I didnt want to dig up an old thread but i am running into this issue. The > old thread points to Pki 10.2.6 as the solution but i am not seeing that > package on centos 7.2. > > STDERR: ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to > configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' > '/tmp/tmpHfdvFD'' returned non-zero exit status 1
CCing David and Endi, they might have an idea what is wrong. There were several recent fixes, to again fix RHEL-6 to RHEL-7 migration, we would need to check if you have them installed. As for your RHEL-6 IPA setup, is it running with External CA, i.e. IPA CA with being signed with other CA? > > On Tue, Jan 26, 2016 at 12:14 PM, Ash Alam <aa...@paperlesspost.com> wrote: > >> thank you! Out of curiosity has anyone been able to automate this using >> chef/puppet etc? >> >> On Tue, Jan 26, 2016 at 10:56 AM, Martin Kosek <mko...@redhat.com> wrote: >> >>> Did you follow the instructions in the error message? There is also a >>> longer >>> description here: >>> >>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc >>> >>> Martin >>> >>> On 01/26/2016 04:38 PM, Ash Alam wrote: >>>> I wanted to follow up on this as i finally gotten around to doing the >>>> upgrade. I an running into this error. I also found a bugzilla ticket. >>> Do >>>> you have to do some type of schema upgrade like you do with active >>>> directory? >>>> >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1235766 >>>> >>>> STDERR: ipa : CRITICAL The master CA directory server does >>> not >>>> have necessary schema. Please copy the following script to all CA >>> masters >>>> and run it on them: /usr/share/ipa/copy-schema-to-ca.py >>>> >>>> If you are certain that this is a false positive, use >>>> --skip-schema-check. >>>> >>>> ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA schema >>>> missing on master CA directory server >>>> >>>> >>>> >>>> Thank You >>>> >>>> >>>> >>>> >>>> On Fri, Nov 20, 2015 at 11:13 AM, Martin Kosek <mko...@redhat.com> >>> wrote: >>>> >>>>> On 11/20/2015 04:08 PM, Ash Alam wrote: >>>>> >>>>>> Most of the clients in my env are centos 6.6 with ipa 3.0.0 client >>>>>> installed. I >>>>>> if bring up a replica on centos 7.2 with ipa 4.2.3 server and then >>> start >>>>>> phasing out the older 3.0.0 servers. Will the client that are still >>>>>> running the >>>>>> older client software still work? >>>>>> >>>>> >>>>> It should, yes. It is expected that there are RHEL/CentOS-6 clients >>> with >>>>> RHEL-7 FreeIPA servers. The older clients just won't be able to use the >>>>> newest features. >>>>> >>>>> >>>>>> On Fri, Nov 20, 2015 at 4:31 AM, Martin Kosek <mko...@redhat.com >>>>>> <mailto:mko...@redhat.com>> wrote: >>>>>> >>>>>> On 11/19/2015 11:03 PM, Ash Alam wrote: >>>>>> >>>>>> Hello All >>>>>> >>>>>> I am looking for some advice on upgrading. Currently our >>> FreeIPA >>>>>> servers are >>>>>> 3.0.0 on centos 6.6. We are looking to go to 4.2.3 Centos7. >>> This >>>>>> upgrade path >>>>>> is not possible per IPA documentation. Minimum version >>> required >>>>>> is 3.3.x. I >>>>>> have also found that cenos6 does not provide anything past >>> 3.0.0. >>>>>> >>>>>> >>>>>> And it won't. There are no plans in updating FreeIPA version in >>>>>> RHEL/CentOS-6.x, we encourage people who want the new features to >>>>>> migrate >>>>>> to RHEL-7.x: >>>>>> >>>>>> >>>>>> >>> http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS >>>>>> >>>>>> >>>>>> >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc >>>>>> >>>>>> If you want to wait on CentOS-7.2, it should be in works now: >>>>>> http://seven.centos.org/2015/11/rhel-7-2-released-today/ >>>>>> >>>>>> One idea is to upgrade to 3.3.x first and then upgrade to >>> 4.2.3 >>>>>> on centos7. >>>>>> This is harder since centos does not provide this. The other >>>>>> issue is if >>>>>> 3.0/3.3 client will be supported with 4.2.3 server. >>>>>> >>>>>> >>>>>> The right way is to migrate via creating replicas in >>> RHEL/CentOS-7.x >>>>>> and >>>>>> slowly deprecating RHEL/CentOS-6 ones. Detailed procedure in the >>>>>> links above. >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project