On 02/28/2017 03:37 AM, Standa Laznicka wrote:
Please, rather check what the problem is. Port 7389 is not required for the newer system, but the old 6.x system has to be listening on it so that we can replicate agains the older Dogtag database. From the previous mail I believe you were following the right documentation, https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc, correct?
Yes, but I hit this issue when setting up replication from a (temporary) CentOS 7 system back to the newly re-installed system. I believe that I understand the issue. The ipa-replica-conncheck man page at https://linux.die.net/man/1/ipa-replica-conncheck says this: -c, --check-ca Include in a check also a set of dogtag connection requirements. When a replica is self-sign this option is not needed. But the man page in CentOS 7 says: -c, --check-ca Include in a check also a set of dogtag connection requirements. Only needed when the master was installed with Dogtag 9 or lower. As a system administrator who is unfamiliar with the inner workings of FreeIPA, neither version really helped me to figure out if I should be passing that option. (The answer appears to be "yes" when the existing server was CentOS 6, but "no" when the existing server is CentOS 7.) -- ======================================================================== Ian Pilcher arequip...@gmail.com -------- "I grew up before Mark Zuckerberg invented friendship" -------- ======================================================================== -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project