Thanks for the super fast reply! I'll do my best to reply in-line, but I'm 
bound to outlook, which doesn't like it too much.

>> Hi all!
>> I'm working on updating my freeipa server from rocky 8 to 9. I'm playing 
>> around with a virtual machines as playground server and client, since I'd 
>> rather not break my everything right away. As part of this, I first 
>> installed ipa-server version 4.10.2-8.el9_3 on the server. Then I did an 
>> ipa-restore with a backup from my production ipa server (rocky 8, 
>> 4.9.12-11.module+el8.9.0+1652+4ee71f6a), followed by an ipa-server-upgrade. 
>> All is well so far (I think).

> I don't know how you achieved this. ipa-restore attempts to prevent
> using restore as a backdoor upgrade mechanism.

It didn't complain /too/ much honestly. It saw the version mismatch between the 
backup and the installed server, asked for a "yes", and then happily went on 
its way. Is there a better way to achieve what I want/need?

>> The client is running Debian bookworm with backports, where the latest 
>> ipa-client version is 4.9.11-1. Then, I went with the usual 
>> ipa-client-install --no-ntp, which fails with "Joining realm failed: Failed 
>> to parse result: PrincipalName not found." after retrieving the CA cert.
>> The logs don't tell me much more, but the --debug flag does. It negotiates a 
>> JSON-RPC response, in which it says '{... "principal": "", 
>> ...}'. I note that principal != PrincipalName. Also note, that on the 
>> server, the host /is/ added.
>> So I guess my question is: how much version skew between server and client 
>> is supported?

> Plenty. There isn't much to client enrollment and the API hasn't changed
> significantly in a long time.

Ok. Is there any other place I can look for what's going wrong?

> rob

FreeIPA-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

Reply via email to