On Fri, Dec 12, 2014 at 3:13 PM, Martin Basti <mba...@redhat.com> wrote:
>
> On 12/12/14 14:57, Gianluca Cecchi wrote:
>
> Hello, read inline comments.
>
>  Hello,
>> I migrated a CentOS 6.6 system with IPA 3.0 to a CentOS 7.0 system with
>> IPA 3.3.
>> The workflow was the one to create a replica and then decommission the
>> old one (that now is with services stopped) with the commands:
>>
>> on old server:
>>  ipa-server-install --uninstall
>>
>> on new server:
>>  ipa-replica-manage del infra.localdomain.local --force
>>
>>
>> [snip]

>
>>  It is not clear for me, did you use IPA DNS before upgrade, or you just
> install IPA DNS after upgrade?


I followed chapter 6 of
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

In IPA 3.0 I preconfigured DNS and then installed IPA with
# ipa-server-install
and at the end

"
....
Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
  * 80, 443: HTTP/HTTPS
  * 389, 636: LDAP/LDAPS
  * 88, 464: kerberos
UDP Ports:
  * 88, 464: kerberos
  * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
"

When I updated to 3.3, as part of the suggested documentation I created the
replica file on old server and then used this command on new server:
# ipa-replica-install --setup-ca --ip-address=192.168.1.81 -p my_password
-w my_password -N --setup-dns --forwarder=192.168.1.254 -U
/var/lib/ipa/replica-info-c7server.localdomain.local.gpg

And this way it should automatically embed the dns part into IPA, correct?


>
>  It works but the old IPA server hostname (with hostname=infra)  is no
>> more resovable
>>
>
[snip]


> IMO the behavior is expected, deleting old replica 'infra', should remove
> the DNS record of replica as well
>

OK. I was able to access the web gui (this time..) and in fact the infra
entry was not present neither in forward nor in reverse zone, so I added it
and now it is ok:

[root@c7server etc]# nslookup infra
Server:         192.168.1.81
Address:        192.168.1.81#53

Name:   infra.localdomain.local
Address: 192.168.1.62



> try following command to detect if there is the infra replica record in
> LDAP
>
> $ ipa dnsrecord-find localdomain.local
>
>
It now returns 22 entries and also the added one for infra hostname

 [root@c7server etc]# kinit admin
Password for admin@LOCALDOMAIN.LOCAL:
[root@c7server etc]#  ipa dnsrecord-find localdomain.local
  Record name: @
  NS record: c7server.localdomain.local.

  Record name: _kerberos
  TXT record: LOCALDOMAIN.LOCAL

...

 Record name: infra
  A record: 192.168.1.62

...

Thanks,
I will check if web UI gives again the problem I had yesterday with the
expired session message...

Gianluca
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to