Hi,
On Tue, May 3, 2022 at 11:59 AM Angus Clarke via FreeIPA-users < [email protected]> wrote: > Hello > > We installed our IPA servers back in EL7.2 days and deployed with a single > level domain and matching (uppercased) realm. Through various upgrades we > are now at EL7.9 and are aware that the ipa-client-install command has > become finickity about single level domains however thus far we have been > able to continue joining EL7 clients. > > I've setup my test environment similarly and have been unsuccessful in > trying to upgrade (join new and replace old) these EL7 Freeipa servers to > EL8, the ipa-client-install on EL8 skips the single level domain so I'm a > bit stuck. > > Is there a way around this in EL8? > > As you saw, the installation of single-label domain is forbidden since ipa-4.6.5-1.el7, but the upgrade from older versions is still allowed. Regarding the client, the installation in a single-label IPA domain is possible only with IPA 4.6.x clients (see https://bugzilla.redhat.com/show_bug.cgi?id=1745108). It was a deliberate choice to allow RHEL7 clients but stop supporting this type of deployment with RHEL8+. So no workaround with RHEL8... Hope this clarifies, flo > EL7 ipa server (ipatest1): > ipa-server-4.6.8-5.0.1.el7_9.10.x86_64 > > EL8 (ipatest2): > ipa-server-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64 > > > [root@ipatest2 ~]# ipa-replica-install --setup-ca --ip-address > 192.168.180.141 --password=Password1234 --principal=admin --setup-dns > --forwarder=192.168.180.100 > Configuring client side components > This program will set up IPA client. > Version 4.9.6 > > Unable to discover domain, not provided on command line > The ipa-client-install command failed. See /var/log/ipaclient-install.log > for more information > Removing client side components > IPA client is not configured on this system. > The ipa-client-install command failed. > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Configuration of client side components failed! > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > > [root@ipatest2 ~]# less /var/log/ipaclient-install.log > <-- snip > 2022-05-03T08:53:10Z DEBUG [IPA Discovery] > 2022-05-03T08:53:10Z DEBUG Starting IPA discovery with domain=None, > servers=None, hostname=ipatest2.int.test > 2022-05-03T08:53:10Z DEBUG Start searching for LDAP SRV record in > "int.test" (domain of the hostname) and its sub-d > omains > 2022-05-03T08:53:10Z DEBUG Search DNS for SRV record of _ldap._tcp.int.test > 2022-05-03T08:53:10Z DEBUG DNS record not found: NXDOMAIN > 2022-05-03T08:53:10Z DEBUG Search DNS for SRV record of _ldap._tcp.test > 2022-05-03T08:53:10Z DEBUG DNS record found: 0 100 389 ipatest1.int.test. > 2022-05-03T08:53:10Z DEBUG [Kerberos realm search] > 2022-05-03T08:53:10Z DEBUG Search DNS for TXT record of _kerberos.test > 2022-05-03T08:53:10Z DEBUG DNS record found: "TEST" > 2022-05-03T08:53:10Z DEBUG Skipping invalid realm 'TEST' (single label > realms are not supported) > 2022-05-03T08:53:10Z DEBUG Search DNS for SRV record of _kerberos._udp.test > 2022-05-03T08:53:10Z DEBUG DNS record found: 0 100 88 ipatest1.int.test. > 2022-05-03T08:53:10Z DEBUG [LDAP server check] > 2022-05-03T08:53:10Z DEBUG Verifying that ipatest1.int.test (realm None) > is an IPA server > 2022-05-03T08:53:10Z DEBUG Init LDAP connection to: > ldap://ipatest1.int.test:389 > 2022-05-03T08:53:10Z DEBUG Search LDAP server for IPA base DN > 2022-05-03T08:53:10Z DEBUG Check if naming context 'dc=test' is for IPA > 2022-05-03T08:53:10Z DEBUG Naming context 'dc=test' is a valid IPA context > 2022-05-03T08:53:10Z DEBUG Search for (objectClass=krbRealmContainer) in > dc=test (sub) > 2022-05-03T08:53:10Z DEBUG Found: cn=TEST,cn=kerberos,dc=test > 2022-05-03T08:53:10Z DEBUG Skipping invalid realm 'TEST' (single label > realms are not supported) > 2022-05-03T08:53:10Z DEBUG Discovery result: NOT_IPA_SERVER; server=None, > domain=test, kdc=ipatest1.int.test, bas > edn=dc=test > 2022-05-03T08:53:10Z DEBUG Validated servers: > 2022-05-03T08:53:10Z DEBUG No IPA server found > <-- snip > > > Thanks > Angus > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
