hello people. -> this is already posted here, maybe check there for better formatting? https://www.reddit.com/r/FreeIPA/comments/yzcln7/broken_installation_how_to_migrate_it/
i broke my ipa installation on a centos 7 somehow... can't root cause it anymore. but since i basically use only ldap i managed to have it running in a crutch manner... i run into two problems: - when i try to uninstall & install same ipa on that vm (but snapshot clone) then i get an error that it cant connect to ldapi:///var/run/slapd*sock -> i gave up at some point. - cant join new machines via ipa-client-install - problem with kerberos keys i guess, see below. anyway, i found exporting a backup, importing it on a rockylinux 9 does import the same problems... so i am kinda lost and guess am seeking some help here... at this point i start hating the fullfeatureset of ipa which brings lots of complexity... anyways here we're.... dont be surprised about the date+timestamps, i got my shells PS settings that way. old system centos7 mgmt01: root@mgmt01 14:29:28 ~$ kinit admin Password for admin@REALM: root@mgmt01 14:29:51 ~$ ipa user-find ERROR: No valid Negotiate header in server response new system rocky9 mgmt02 after completely fresh install. 14:32:46-root@mgmt02:RC0:~ ↳ kinit admin 19.11.2022 14:32:48 Password for admin@REALM: 14:32:52-root@mgmt02:RC0:~ ↳ ipa user-find 19.11.2022 14:32:55 --------------1 user matched-------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: admin@REALM, root@REALM UID: 1037800000 GID: 1037800000 Account disabled: False ----------------------------Number of entries returned 1---------------------------- i do export backup on mgmt01: ipa-backup --data --online on mgmt02: go login to webinterface of new server, find default/empty user list ↳ ipa-restore --data --online --backend userRoot /home/sshadmin/ipa-data-2022-11-18-19-40-45/ 19.11.2022 14:48:14 Directory Manager (existing master) password: Preparing restore from /home/sshadmin/ipa-data-2022-11-18-19-40-45/ on mgmt01 Performing DATA restore from DATA backup Restoring data from a different release of IPA. Data is version 4.6.8. Server is running 4.9.8. Continue to restore? [no]: yes Temporary setting umask to 022 Restoring data will overwrite existing live data. Continue to restore? [no]: yes Each master will individually need to be re-initialized or re-created from this one. The replication agreements on masters running IPA 3.1 or earlier will need to be manually re-enabled. See the man page for details. Disabling all replication. Starting Directory Server Restoring from userRoot in REALM Waiting for LDIF to finish Restoring umask to 18 The ipa-restore command was successful ↳ ipa user-find -> can find users ↳ refresh website -> i can see my ldap users. ↳ logout of website, relogin with admin user gives me: Login failed due to an unknown reason (same on old system) ↳ reboot and ipa user-find will give me this one: ipa: ERROR: No valid Negotiate header in server response At this point again i cant join new machines to the new server via ipa-client-install I am pretty lost. I also tried exporting ldap data with db2ldif -> and added to new server with ldapmodify -ac -f ldiffile and seeeeem to run into pretty similar issues. luckily i can read the ldif file and connect to old and new server with apache studio, that might help in more manual efforts to restore the service. I tried something else now... I've exported LDIFs from cn=groups,cn=accounts and cn=users,cn=accounts seperately. Tried to import groups first (did work). Tried to import users then -> only a feeeew users are imported in the end. must of them are declined with this error: #!ERROR [LDAP result code 53 - unwillingToPerform] Managed Entry Plugin rejected add operation (see errors log). i have no damn clue... Nov 19 16:59:37 mgmt.doma.in ns-slapd[1257]: [19/Nov/2022:16:59:37.145273724 +0100] - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add pointer to managed entry "cn=user,cn=groups,cn=accounts,dc=doma,dc=in" in origin entry "uid=user,cn=users,cn=accounts,dc=doma,dc=in" (Type or value exists). _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue