On 02/28/2017 03:37 AM, Standa Laznicka wrote:
Please, rather check what the problem is. Port 7389 is not required for
the newer system, but the old 6.x system has to be listening on it so
that we can replicate agains the older Dogtag database. From the
previous mail I believe you were following the right documentation,
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc,
correct?

Yes, but I hit this issue when setting up replication from a (temporary)
CentOS 7 system back to the newly re-installed system.

I believe that I understand the issue.

The ipa-replica-conncheck man page at
https://linux.die.net/man/1/ipa-replica-conncheck says this:

  -c, --check-ca
      Include in a check also a set of dogtag connection requirements.
      When a replica is self-sign this option is not needed.

But the man page in CentOS 7 says:

  -c, --check-ca
      Include in a check also a set of dogtag connection requirements.
      Only needed when the master was installed with Dogtag 9 or lower.

As a system administrator who is unfamiliar with the inner workings of
FreeIPA, neither version really helped me to figure out if I should be
passing that option.  (The answer appears to be "yes" when the existing
server was CentOS 6, but "no" when the existing server is CentOS 7.)

--
========================================================================
Ian Pilcher                                         arequip...@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to