On 08/31/2015 02:56 PM, Simo Sorce wrote:
> On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:
>> On 08/26/2015 11:27 PM, Simo Sorce wrote:
>>> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
>>> and introduces a number of required changes and dependencies to achieve
>>> this goal.
>>> This work requires the custodia project to securely transfer keys
>>> between ipa servers.
>>> This work is not 100% complete, it still misses the ability to install
>>> kra instances and the ability to install a CA (via ipa-ca-install) with
>>> externally signed certs.
>>> However it is massive enough that warrants review and pushing, the resat
>>> of the changes can be applied later as this work should not disrupt the
>>> classic install methods.
>>> In order to build my previous patches (530-533) are needed as well as a
>>> number of updated components.
>>> I used the following coprs for testing:
>>> abbra/sssd-kkdcproxy (for sssd 1.13.1)
>>> lkrispen/389-ds-current (for 389 > 22.214.171.124)
>>> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
>>> mkosek/freeipa-4.2-fedora-22 (misc)
>>> fedora/updates-testing (python-gssapi 1.1.2)
>>> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
>>> eventually his patches should be committed in 389-ds-base 126.96.36.199 when
>>> it will be released.
>>> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
>>> that may cause installation issues in some case (re-install of a
>>> The domain must be raised to level 1 in order to use replica promotion.
>>> In order to promote a replica the server must be first joined as a
>>> regular client to the domain.
>>> This is the flow I usually use for testing:
>>> # ipa-client-install
>>> # kinit admin
>>> # ipa-replica-install --promote --setup-ca
>>> <perform operations like add user, get keytabs, get certificates,
>>> These patches are also available in this git tree rebnase on current
>> I'm running in a issue when upgrading RPMs:
> What version are you upgrading from ?
> Also do you have logs telling which update is failing ? I can guess it
> is the topology stuff but that would be surprising.
It was a master devel machine with some wear&tear on it, clean 4.2.
install does not blow up on upgrade for me.
Will investigate further.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code