On Fri, Dec 12, 2014 at 3:13 PM, Martin Basti <mba...@redhat.com> wrote:
> On 12/12/14 14:57, Gianluca Cecchi wrote:
> Hello, read inline comments.
>  Hello,
>> I migrated a CentOS 6.6 system with IPA 3.0 to a CentOS 7.0 system with
>> IPA 3.3.
>> The workflow was the one to create a replica and then decommission the
>> old one (that now is with services stopped) with the commands:
>> on old server:
>>  ipa-server-install --uninstall
>> on new server:
>>  ipa-replica-manage del infra.localdomain.local --force
>> [snip]

>>  It is not clear for me, did you use IPA DNS before upgrade, or you just
> install IPA DNS after upgrade?

I followed chapter 6 of

In IPA 3.0 I preconfigured DNS and then installed IPA with
# ipa-server-install
and at the end

Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
  * 80, 443: HTTP/HTTPS
  * 389, 636: LDAP/LDAPS
  * 88, 464: kerberos
UDP Ports:
  * 88, 464: kerberos
  * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

When I updated to 3.3, as part of the suggested documentation I created the
replica file on old server and then used this command on new server:
# ipa-replica-install --setup-ca --ip-address= -p my_password
-w my_password -N --setup-dns --forwarder= -U

And this way it should automatically embed the dns part into IPA, correct?

>  It works but the old IPA server hostname (with hostname=infra)  is no
>> more resovable

> IMO the behavior is expected, deleting old replica 'infra', should remove
> the DNS record of replica as well

OK. I was able to access the web gui (this time..) and in fact the infra
entry was not present neither in forward nor in reverse zone, so I added it
and now it is ok:

[root@c7server etc]# nslookup infra

Name:   infra.localdomain.local

> try following command to detect if there is the infra replica record in
> $ ipa dnsrecord-find localdomain.local
It now returns 22 entries and also the added one for infra hostname

 [root@c7server etc]# kinit admin
Password for admin@LOCALDOMAIN.LOCAL:
[root@c7server etc]#  ipa dnsrecord-find localdomain.local
  Record name: @
  NS record: c7server.localdomain.local.

  Record name: _kerberos


 Record name: infra
  A record:


I will check if web UI gives again the problem I had yesterday with the
expired session message...

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to