Kroon PC, Peter via FreeIPA-users wrote:
> Thanks for the super fast reply! I'll do my best to reply in-line, but I'm
> bound to outlook, which doesn't like it too much.
>
>>> Hi all!
>>>
>>> I'm working on updating my freeipa server from rocky 8 to 9. I'm playing
>>> around with a virtual machines as playground server and client, since I'd
>>> rather not break my everything right away. As part of this, I first
>>> installed ipa-server version 4.10.2-8.el9_3 on the server. Then I did an
>>> ipa-restore with a backup from my production ipa server (rocky 8,
>>> 4.9.12-11.module+el8.9.0+1652+4ee71f6a), followed by an ipa-server-upgrade.
>>> All is well so far (I think).
>
>> I don't know how you achieved this. ipa-restore attempts to prevent
>> using restore as a backdoor upgrade mechanism.
>
> It didn't complain /too/ much honestly. It saw the version mismatch between
> the backup and the installed server, asked for a "yes", and then happily went
> on its way. Is there a better way to achieve what I want/need?
Create a replica and disconnect it from the topology to have a sandbox.
>>> The client is running Debian bookworm with backports, where the latest
>>> ipa-client version is 4.9.11-1. Then, I went with the usual
>>> ipa-client-install --no-ntp, which fails with "Joining realm failed: Failed
>>> to parse result: PrincipalName not found." after retrieving the CA cert.
>>> The logs don't tell me much more, but the --debug flag does. It negotiates
>>> a JSON-RPC response, in which it says '{... "principal":
>>> "[email protected]", ...}'. I note that principal != PrincipalName. Also
>>> note, that on the server, the host /is/ added.
>>>
>>> So I guess my question is: how much version skew between server and client
>>> is supported?
>
>> Plenty. There isn't much to client enrollment and the API hasn't changed
>> significantly in a long time.
>
> Ok. Is there any other place I can look for what's going wrong?
The server httpd error log should have something about the request as
well as the client install log.
To get more details on the server side you can create
/etc/ipa/server.conf with the contents:
[global]
debug = True
Then restart httpd. Warning, it can be very verbose so I wouldn't leave
it like that for long in production.
rob
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
