Hi, 8><-----------
OK, details are important here. Terms like "blew up" and "bad schema" leave me guessing exactly what you mean. 8><----------- I dont know whast wrong either but everything I seem to try and setup goes badly with intermittant or total failures. For instance a winsync agreement with the old server and AD wipes existing IPA users groups and doesnt put the new users in the ipausers group, no one has seen that behaviour it seems. Yet a clean 6.3 IPA master does put new users in the ipausers group and existing users retain their groups. 8><------------ So if I understand it correctly you have a 2.1.3 -> 2.2.0 master that is limping along and two freshly installed 2.2.0 masters and you'd like to uninstall and re-install the server whose upgrade didn't go well. 8><----------- Yes....from testing a clean 6.3 it seems to work for winsync at least fine.....rpm -q says 2.2.0-16 8><----------- - remove the server that failed upgrading (ipa-replica-manage del non-working.example.com) - Follow the CLEANRUV docs at http://directory.fedoraproject.org/wiki/Howto:CLEANRUV (starts about midway down the page) - ipa-server-install --uninstall on the decomissioned server - prepare a new replica file - ipa-replica-install Note that selfsign is not supported in RHEL. You'll need to refer to the Fedora docs on how to do that, see section 16.8.2 at http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html Unfortunately the docs are wrong. You want to use the NSS database in /etc/httpd/alias and not the DS instance. The cacert.p12 comes from the file you saved after the initial install. You saved that, right? 8><---------- Yes, it should be in our subversion system. 8><---------- If not, you can run this on the old master to re-create it: # pk12util -o /tmp/cacert.p12 -d /etc/httpd/alias -n '$REALM IPA CA' -k /etc/httpd/alias/pwdfile.txt These are some instructions one of our engineers wrote up when he needed to do this himself. You can probably skip step 1 as you already have a couple of working replicas. Tread carefully. If you lose your CA you won't have the ability to create new replicas, issue server certs, do much of anything. 1) Install replica # ipa-replica-install 2) Copy CA serial number setting from master to replica: # scp /var/lib/ipa/ca_serialno new_ca.example.com:/var/lib/ipa/ 3) On replica, set correct owner and permissions: # chown root:apache /var/lib/ipa/ca_serialno # chmod 550 /var/lib/ipa/ca_serialno 4) Restore SELinux context on serial file: # restorecon /var/lib/ipa/ca_serialno 5) Copy CA certificate and pwdfile.txt from master to replica: # scp /etc/httpd/alias/cacert.p12 /etc/httpd/alias/pwdfile.txt new_ca.example.com:~/ 7) On replica, import the CA certificate: # pk12util -i ~/cacert.p12 -w ~/pwdfile.txt -d /etc/httpd/alias/ -k /etc/httpd/alias/pwdfile.txt 8) The list of certificates in NSS database (including the one imported) can be listed with: # certutil -L -d /etc/httpd/alias/ However, since pk12util import util is not capable of setting a correct certificate nickname, the imported certificate will have a nickname like ""CN=$REALM Certificate Authority", which is not recognized by IPA certificate system. The following procedure can be used set a correct nickname of the certificate: a) Export the certificate # certutil -d /etc/httpd/alias/ -L -n 'CN=$REALM Certificate Authority' -a > ~/cacert.crt b) Delete the old certificate (NSS database /etc/httpd/alias/ should be backed up before this step): # certutil -d /etc/httpd/alias/ -D -n 'CN=$REALM Certificate Authority' c) Import the certificate with correct nickname: # certutil -A -n "$REALM IPA CA" -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt -i /root/cacert.crt -a -t CTu,u,Cu 9) Enable certificate operations on IPA replica: # echo "enable_ra=True" >> /etc/ipa/default.conf 10) Reload web server to pick up new configuration: # service httpd reload _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users