Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On 03/12/2015 08:56 PM, Steven Jones wrote: Hi, Currently it seems that IPA on RHEL6.6 is broken in terms of adding a RHEL7.1 replica to it. ie following the document linked to below. Should be a BZ case on it shortly via RH support (RH case number 01290601) for an updated 389 rpm for 6.6. I assume it will be the same for Centos 7.x as your base is RHEL6.6. Unless there is an already fixed 389/6.6 package somewhere I can try? Its a test bed for the actual upgrade so if it blows no biggee, anything to get this advanced! If I read your Case correctly, it already got a fresh set of RHEL-6.6 RPMs attached today morning :-) regards Steven 8><--- Are you following these instructions? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html 8><--- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
Hi, Currently it seems that IPA on RHEL6.6 is broken in terms of adding a RHEL7.1 replica to it. ie following the document linked to below. Should be a BZ case on it shortly via RH support (RH case number 01290601) for an updated 389 rpm for 6.6. I assume it will be the same for Centos 7.x as your base is RHEL6.6. Unless there is an already fixed 389/6.6 package somewhere I can try? Its a test bed for the actual upgrade so if it blows no biggee, anything to get this advanced! regards Steven 8><--- >>> Are you following these instructions? >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html 8><--- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On 03/10/2015 03:06 PM, Alexander Bokovoy wrote: > On Tue, 10 Mar 2015, Benjamin Reed wrote: >> On 3/10/15 9:31 AM, Alexander Bokovoy wrote: >>> Are you following these instructions? >>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html >>> >> >> >> Aha! No. There are so many false positives in google I had no idea >> that document existed. Pretty much everything I've found that links to >> "how to migrate" takes me to this: >> >> http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS >> >> >> ...which in turn pointed to this: >> >> http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html >> >> >> I didn't see anything about RHEL6->RHEL7 or FreeIPA 3.0->3.3 >> http://www.freeipa.org/page/Documentation unless I missed it. The 3.3 >> section on there is pretty much just a collection of things about new >> features. (And a presentation deck that points to that first link above...) > We have http://www.freeipa.org/page/Documentation#User_Guides and going > through user guide would be our recommended action. There is a whole > chapter 6 in RHEL7 docs for upgrades and migration. Hmm, I looked in FreeIPA.org and saw that about a dozen of pages still pointed to the old, abandoned (http://www.freeipa.org/page/Upstream_User_Guide) Fedora guides. I went through the pages and changed them all to point to the most up to date user guide - RHEL-7 guide. I also added a link to the RHEL-7 migration guide to the FreeIPA.org migration page, for additional information: http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS If you know about more sources like that, please tell me or update the page. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On 3/10/15 10:06 AM, Alexander Bokovoy wrote: > We have http://www.freeipa.org/page/Documentation#User_Guides and going > through user guide would be our recommended action. There is a whole > chapter 6 in RHEL7 docs for upgrades and migration. Ah, I see it now. I had no idea from the name that " Linux Domain Identity, Authentication and Policy Guide for RHEL 7" referred to the general user/admin guide. As a newb to FreeIPA and domain management in general, it looked like word soup. Sorry for the noise. :P > Looks like you don't have CA installed on auth.internal so you don't > need to update CA schema there. Great. So I started the install on the CentOS7 machine, and it almost completed, but failed out with this error: > Configuring certificate server (pki-tomcatd): Estimated time 3 minutes > 30 seconds > [1/19]: creating certificate server user > [2/19]: configuring certificate server instance > ipa : CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmp2_03I3' returned non-zero exit > status 1 In the ipareplica-install.log file, I find this: > Storing deployment configuration into > /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg. > Installation failed. > > > 2015-03-10T14:12:04Z DEBUG stderr=pkispawn: WARNING ... > unable to validate security domain user/password through REST > interface. Interface not available > pkispawn: ERROR... Exception from Java Configuration > Servlet: Error while updating security domain: java.io.IOException: > java.io.IOException: SocketException cannot read on socket > > 2015-03-10T14:12:04Z CRITICAL failed to configure ca instance Command > '/usr/sbin/pkispawn -s CA -f /tmp/tmp2_03I3' returned non-zero exit > status 1 > 2015-03-10T14:12:04Z DEBUG File > "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", > line 638, in run_script I ran `ipa-server-install --uninstall` to undo everything, as it suggested. Then I generated a new replica file on the RHEL6 machine with `ipa-replica-prepare` and tried the install again. This time, it successfully finishes, but the last thing it says is: > Done configuring directory server (dirsrv). > A CA is already configured on this system. ...which makes me think it just didn't undo everything when I did `ipa-server-install --uninstall` and the CA isn't actually set up properly. Is there a good way to confirm everything is actually working as expected? Thanks, Ben -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On Tue, 10 Mar 2015, Benjamin Reed wrote: On 3/10/15 9:31 AM, Alexander Bokovoy wrote: Are you following these instructions? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html Aha! No. There are so many false positives in google I had no idea that document existed. Pretty much everything I've found that links to "how to migrate" takes me to this: http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS ...which in turn pointed to this: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html I didn't see anything about RHEL6->RHEL7 or FreeIPA 3.0->3.3 http://www.freeipa.org/page/Documentation unless I missed it. The 3.3 section on there is pretty much just a collection of things about new features. (And a presentation deck that points to that first link above...) We have http://www.freeipa.org/page/Documentation#User_Guides and going through user guide would be our recommended action. There is a whole chapter 6 in RHEL7 docs for upgrades and migration. Anyways, thank you for the link. That makes it much clearer. I do have one problem now. I currently have the following systems: connect: RHEL6, FreeIPA master auth.internal: CentOS6, FreeIPA replica auth: CentOS7, migration target Following the instructions you linked, I ran the copy-schema-to-ca.py script on connect, and it completed successfully. I then tried to run it on auth.internal (the CentOS6 replica) and it fails with this error: python copy-schema-to-ca.py Traceback (most recent call last): File "copy-schema-to-ca.py", line 85, in main() File "copy-schema-to-ca.py", line 79, in main add_ca_schema() File "copy-schema-to-ca.py", line 42, in add_ca_schema pki_pent = pwd.getpwnam(PKI_USER) KeyError: 'getpwnam(): name not found: pkiuser' ...am I supposed to run this script the replica as well? Or is something broken on my replica? Looks like you don't have CA installed on auth.internal so you don't need to update CA schema there. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On 3/10/15 9:31 AM, Alexander Bokovoy wrote: > Are you following these instructions? > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html Aha! No. There are so many false positives in google I had no idea that document existed. Pretty much everything I've found that links to "how to migrate" takes me to this: http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS ...which in turn pointed to this: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html I didn't see anything about RHEL6->RHEL7 or FreeIPA 3.0->3.3 http://www.freeipa.org/page/Documentation unless I missed it. The 3.3 section on there is pretty much just a collection of things about new features. (And a presentation deck that points to that first link above...) Anyways, thank you for the link. That makes it much clearer. I do have one problem now. I currently have the following systems: connect: RHEL6, FreeIPA master auth.internal: CentOS6, FreeIPA replica auth: CentOS7, migration target Following the instructions you linked, I ran the copy-schema-to-ca.py script on connect, and it completed successfully. I then tried to run it on auth.internal (the CentOS6 replica) and it fails with this error: > python copy-schema-to-ca.py > Traceback (most recent call last): > File "copy-schema-to-ca.py", line 85, in > main() > File "copy-schema-to-ca.py", line 79, in main > add_ca_schema() > File "copy-schema-to-ca.py", line 42, in add_ca_schema > pki_pent = pwd.getpwnam(PKI_USER) > KeyError: 'getpwnam(): name not found: pkiuser' ...am I supposed to run this script the replica as well? Or is something broken on my replica? Thanks, Ben -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On Tue, 10 Mar 2015, Benjamin Reed wrote: I'm attempting to migrate FreeIPA from an RHEL6 server to a CentOS7 server. When I run ipa-replica-install to set up the CentOS7 server, I get the following error: ipa : CRITICAL The master CA directory server does not have necessary schema. Please copy the following script to all CA masters and run it on them: /usr/share/ipa/copy-schema-to-ca.py If you are certain that this is a false positive, use --skip-schema-check. IPA schema missing on master CA directory server Is it safe to run this script on the RHEL6 server? Is it a false positive I should ignore? What is the best way to transition? Are you following these instructions? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
I'm attempting to migrate FreeIPA from an RHEL6 server to a CentOS7 server. When I run ipa-replica-install to set up the CentOS7 server, I get the following error: > ipa : CRITICAL The master CA directory server does not have > necessary schema. Please copy the following script to all CA masters > and run it on them: /usr/share/ipa/copy-schema-to-ca.py > If you are certain that this is a false positive, use --skip-schema-check. > IPA schema missing on master CA directory server Is it safe to run this script on the RHEL6 server? Is it a false positive I should ignore? What is the best way to transition? Thanks, Ben -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project