date:20200608

[Freeipa-users] Re: ipa-healthcheck with fresh replica

2020-06-08 Thread Jochen Kellner via FreeIPA-users

Jochen Kellner via FreeIPA-users 
writes:

> In IPA I have four certificates for "IPA RA" - one (the oldest) revoked,
> two are expired in 2017 and 2019 and one valid until next year.
>
> The certificate in CS.cfg is expired:
>
> Serial Number: 268173317 (0xffc0005)
> ...
> Validity
> Not Before: Dec 30 06:29:19 2017 GMT
> Not After : Dec 20 06:29:19 2019 GMT
> Subject: O = EXAMPLE.ORG, CN = KRA Transport Certificate
>
> certutl has the correct (valid) cert:
>
> Serial Number: 268238930 (0xffd0052)
> ...
> Validity
> Not Before: Dec 13 13:56:29 2019 GMT
> Not After : Dec  2 13:56:29 2021 GMT
>
> So, when installing the replica I got an older, expired cert in CS.cfg,
> but the certificate in nssdb is newer and valid.

I've fixed that manually on the new replica by copying the valid
certificate from LDAP into the CS.cfg files.

> Thanks for the "I need more context" ping. I looked at IPA bugs but
> nothing looked similar to this case. OTOH I would expect that far more
> people would also have this problem.

I'll see what the last replica looks like after the refresh when all
other replicas have been fixed.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

2020-06-08 Thread Karim Bourenane via FreeIPA-users

Thank you for your update

As Florence says too, i have also only update ipa-*, but i have several
Error:
 [Ensurung CA is using LDAPProfileSubsustem)
[Migration certificat profiles to LDAP]
IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run command
ipa-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for
details:
AttributeError: locked cannot see ra_certprofile.override_port to 8443

ipa: DEBUG : File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py at line
1015, in run_script
return_value = main_function ()

File /usr/sbin/ipactl, line 598, in main
ipa_start (options)

File /usr/sbin/ipactl, line 288, in main
version_check ()

File /usr/sbin/ipactl, line161, in version_ckeck
raise IpactlError ("Abording ipactl")



Bien à vous
Mr Karim Bourenane
+33686464439
+32 493 86 63 54



Le lun. 8 juin 2020 à 19:36, Rob Crittenden  a écrit :

> Karim Bourenane via FreeIPA-users wrote:
> > Hello François, All
> >
> > Thanks you for your answer / update
> >
> > Here's what I did:
> > All process RUNNING with : ipactl status
> > yum update
> >
> > *I have several error into the yum update command *:
> > 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect
> > /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> > 2020-06-08T09:39:42Z DEBUG   File
> > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> > execute
> > return_value = self.run()
> >   File
> >
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> > line 54, in run
> > server.upgrade()
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> > line 2146, in upgrade
> > upgrade_configuration()
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> > line 2018, in upgrade_configuration
> > ca_enable_ldap_profile_subsystem(ca)
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> > line 406, in ca_enable_ldap_profile_subsystem
> > cainstance.migrate_profiles_to_ldap()
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> > 1990, in migrate_profiles_to_ldap
> > api.Backend.ra_certprofile.override_port = 8443
> >   File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in
> > __setattr__
> > SET_ERROR % (self.__class__.__name__, name, value)
> >
> > 2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed,
> > exception: AttributeError: locked: cannot set
> > ra_certprofile.override_port to 8443
> > 2020-06-08T09:39:42Z ERROR Unexpected error - see
> > /var/log/ipaupgrade.log for details:
> > AttributeError: locked: cannot set ra_certprofile.override_port to 8443
> > 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See
> > /var/log/ipaupgrade.log for more information
>
> Note that this has nothing to do with anything listening on port 8443.
>
> This is trying to change the IPA runtime environment for some reason and
> it's in a locked state. I don't know this code very well so I'm not sure
> what the remediation is. It seems like something that should have either
> always or never worked but it could be it was affected by some later
> change, I don't know.
>
> It thinks it needs to migrate your disk-based profiles into LDAP and
> that's not something that should be skipped.
>
> rob
>
> >
> >
> > Regards
> >
> >
> > Bien à vous
> > Mr Karim Bourenane
> > +33686464439
> > +32 493 86 63 54
> >
> >
> >
> > Le lun. 8 juin 2020 à 08:56, François Cami  > > a écrit :
> >
> > Hi,
> >
> > On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users
> >  > > wrote:
> > >
> > > Hello Team
> > >
> > > I have some questions :
> > > 1°) I need your help, to find the better way to upgrade my 3
> > servers linked (replicat).
> > > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update
> > in same time the IPAServer (or separately ?)
> >
> > Not at the same time. The upgrade logic is bound to update some data
> > in LDAP. It is best to wait until the first update is done, and the
> > resulting replication traffic has subsided. Then do the other replica
> > one at a time.
> >
> > > After searching on Freeipa.org and other site, i find :
> > > #ipactl stop
> > > #ipa-server-upgrade
> > > #ipactl start
> >
> > You do not need to do that. "yum update" is enough.
> >
> > > I not need to delete first the replication link before ?
> >
> > Certainly not.
> >
> > > What is the better solution ways ?
> >
> > See above.
> >
> > > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version
> ?
> > > Or i need steps too ?
> >
> > You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.
> >
>

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

2020-06-08 Thread Rob Crittenden via FreeIPA-users

Karim Bourenane via FreeIPA-users wrote:
> Hello François, All
> 
> Thanks you for your answer / update
> 
> Here's what I did:
> All process RUNNING with : ipactl status
> yum update
> 
> *I have several error into the yum update command *:
> 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2020-06-08T09:39:42Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> execute
>     return_value = self.run()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 54, in run
>     server.upgrade()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 2146, in upgrade
>     upgrade_configuration()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 2018, in upgrade_configuration
>     ca_enable_ldap_profile_subsystem(ca)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 406, in ca_enable_ldap_profile_subsystem
>     cainstance.migrate_profiles_to_ldap()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
> 1990, in migrate_profiles_to_ldap
>     api.Backend.ra_certprofile.override_port = 8443
>   File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in
> __setattr__
>     SET_ERROR % (self.__class__.__name__, name, value)
> 
> 2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed,
> exception: AttributeError: locked: cannot set
> ra_certprofile.override_port to 8443
> 2020-06-08T09:39:42Z ERROR Unexpected error - see
> /var/log/ipaupgrade.log for details:
> AttributeError: locked: cannot set ra_certprofile.override_port to 8443
> 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information

Note that this has nothing to do with anything listening on port 8443.

This is trying to change the IPA runtime environment for some reason and
it's in a locked state. I don't know this code very well so I'm not sure
what the remediation is. It seems like something that should have either
always or never worked but it could be it was affected by some later
change, I don't know.

It thinks it needs to migrate your disk-based profiles into LDAP and
that's not something that should be skipped.

rob

> 
> 
> Regards
> 
> 
> Bien à vous
> Mr Karim Bourenane
> +33686464439
> +32 493 86 63 54
>  
> 
> 
> Le lun. 8 juin 2020 à 08:56, François Cami  > a écrit :
> 
> Hi,
> 
> On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users
>  > wrote:
> >
> > Hello Team
> >
> > I have some questions :
> > 1°) I need your help, to find the better way to upgrade my 3
> servers linked (replicat).
> > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update
> in same time the IPAServer (or separately ?)
> 
> Not at the same time. The upgrade logic is bound to update some data
> in LDAP. It is best to wait until the first update is done, and the
> resulting replication traffic has subsided. Then do the other replica
> one at a time.
> 
> > After searching on Freeipa.org and other site, i find :
> > #ipactl stop
> > #ipa-server-upgrade
> > #ipactl start
> 
> You do not need to do that. "yum update" is enough.
> 
> > I not need to delete first the replication link before ?
> 
> Certainly not.
> 
> > What is the better solution ways ?
> 
> See above.
> 
> > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ?
> > Or i need steps too ?
> 
> You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.
> 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating
> 
> Best regards,
> François
> 
> > Thanks you for your help
> >
> > Best Regard
> > Bien à vous
> > Mr Karim Bourenane
> > +33686464439
> > +32 493 86 63 54
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> 
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>

[Freeipa-users] Re: Problem with AD users after upgrade

2020-06-08 Thread Rob Crittenden via FreeIPA-users

Ronald Wimmer via FreeIPA-users wrote:
> On 05.06.20 17:33, Ronald Wimmer via FreeIPA-users wrote:
>> On 05.06.20 16:24, Ronald Wimmer via FreeIPA-users wrote:
>>> I did an IPA migration from CentOS 7 machines to OL 8.1 following the
>>> procedure as documented in
>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating
>>> .
>>>
>>> Today I found out that only four of my eight IPA servers do resolve
>>> AD users (tested with id  on every IPA server). The setup
>>> procedure did not differ. (except for machine no. 1 which is the CA
>>> renewal master)
>>>
>>> AD users are resolved on machines 1, 5, 6 and 8. Machine 2, 3, 4 and
>>> 7 do not resolve AD users.
>>
>> When upgrading we could neither keep hostnames nor IP addresses. Might
>> this explain the behaviour above? (could the working machines have IPs
>> of former trust controllers?)
> 
> I think I was panicking too early. Because the sssd-db-cache was mounted
> in RAM I rebooted the IPA servers sequentially and voilà the problem
> disappeared.
> 
> Is there any means of checking the IPA installation? I will try
> ipa-healthcheck today.

That's the way to check the installation.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

2020-06-08 Thread Karim Bourenane via FreeIPA-users

This process number : 25551, its launched by pkiuser for pki-tomcat service.


Bien à vous
Mr Karim Bourenane
+33686464439
+32 493 86 63 54



Le lun. 8 juin 2020 à 16:25, Karim Bourenane  a
écrit :

> Hello
>
> I found a track, its appear that the JAVA dont want to leave the TCPV6
> port connexion:
> #netstat -plten |  grep 8433
> tcp6 0 0 :::8443 :::*   LISTEN 17 178055  25551/java
>
> And also http with tcp6 443
>
> This connexion launched if the command : yum update (come in libcc ) or
> when i launch ipa-server-update
>
> How i can correct this behavior ?
>
> Bien à vous
> Mr Karim Bourenane
> +33686464439
> +32 493 86 63 54
>
>
>
> Le lun. 8 juin 2020 à 13:10, Karim Bourenane 
> a écrit :
>
>> Hello François, Florence, All
>>
>> After checking and disabling my local firewall.
>> I have the same problem:
>> 
>> [Ensurung CA is using LDAPProfileSubsustem)
>> [Migration certificat profiles to LDAP]
>> IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run
>> command ipa-upgrade manually.
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>> AttributeError: locked cannot see ra_certprofile.override_port to 8443
>>
>>
>> Regard
>>
>>
>> Bien à vous
>> Mr Karim Bourenane
>> +33686464439
>> +32 493 86 63 54
>>
>>
>>
>> Le lun. 8 juin 2020 à 11:54, Karim Bourenane 
>> a écrit :
>>
>>> Hello François, All
>>>
>>> Thanks you for your answer / update
>>>
>>> Here's what I did:
>>> All process RUNNING with : ipactl status
>>> yum update
>>>
>>> *I have several error into the yum update command *:
>>> 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect
>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
>>> 2020-06-08T09:39:42Z DEBUG   File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
>>> execute
>>> return_value = self.run()
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
>>> line 54, in run
>>> server.upgrade()
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>>> line 2146, in upgrade
>>> upgrade_configuration()
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>>> line 2018, in upgrade_configuration
>>> ca_enable_ldap_profile_subsystem(ca)
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
>>> line 406, in ca_enable_ldap_profile_subsystem
>>> cainstance.migrate_profiles_to_ldap()
>>>   File
>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
>>> 1990, in migrate_profiles_to_ldap
>>> api.Backend.ra_certprofile.override_port = 8443
>>>   File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in
>>> __setattr__
>>> SET_ERROR % (self.__class__.__name__, name, value)
>>>
>>> 2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed,
>>> exception: AttributeError: locked: cannot set ra_certprofile.override_port
>>> to 8443
>>> 2020-06-08T09:39:42Z ERROR Unexpected error - see
>>> /var/log/ipaupgrade.log for details:
>>> AttributeError: locked: cannot set ra_certprofile.override_port to 8443
>>> 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See
>>> /var/log/ipaupgrade.log for more information
>>>
>>>
>>> Regards
>>>
>>>
>>> Bien à vous
>>> Mr Karim Bourenane
>>> +33686464439
>>> +32 493 86 63 54
>>>
>>>
>>>
>>> Le lun. 8 juin 2020 à 08:56, François Cami  a écrit :
>>>
 Hi,

 On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users
  wrote:
 >
 > Hello Team
 >
 > I have some questions :
 > 1°) I need your help, to find the better way to upgrade my 3 servers
 linked (replicat).
 > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in
 same time the IPAServer (or separately ?)

 Not at the same time. The upgrade logic is bound to update some data
 in LDAP. It is best to wait until the first update is done, and the
 resulting replication traffic has subsided. Then do the other replica
 one at a time.

 > After searching on Freeipa.org and other site, i find :
 > #ipactl stop
 > #ipa-server-upgrade
 > #ipactl start

 You do not need to do that. "yum update" is enough.

 > I not need to delete first the replication link before ?

 Certainly not.

 > What is the better solution ways ?

 See above.

 > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ?
 > Or i need steps too ?

 You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.

 https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating

 Best regards,
 François

 > Thanks you for your help
 >
 > Best Regard
 > Bien à vous
 > Mr Karim Bourenane
 > +33686464439
 > +32 493 86 63 54
 >
 >

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

2020-06-08 Thread Karim Bourenane via FreeIPA-users

Hello François, Florence, All

After checking and disabling my local firewall.
I have the same problem:

[Ensurung CA is using LDAPProfileSubsustem)
[Migration certificat profiles to LDAP]
IPA server upgrade failed : Inspect /var/log/ipaupgrade.log and run command
ipa-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
AttributeError: locked cannot see ra_certprofile.override_port to 8443


Regard


Bien à vous
Mr Karim Bourenane
+33686464439
+32 493 86 63 54



Le lun. 8 juin 2020 à 11:54, Karim Bourenane  a
écrit :

> Hello François, All
>
> Thanks you for your answer / update
>
> Here's what I did:
> All process RUNNING with : ipactl status
> yum update
>
> *I have several error into the yum update command *:
> 2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect
> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
> 2020-06-08T09:39:42Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> execute
> return_value = self.run()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 54, in run
> server.upgrade()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 2146, in upgrade
> upgrade_configuration()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 2018, in upgrade_configuration
> ca_enable_ldap_profile_subsystem(ca)
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 406, in ca_enable_ldap_profile_subsystem
> cainstance.migrate_profiles_to_ldap()
>   File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
> line 1990, in migrate_profiles_to_ldap
> api.Backend.ra_certprofile.override_port = 8443
>   File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in
> __setattr__
> SET_ERROR % (self.__class__.__name__, name, value)
>
> 2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed,
> exception: AttributeError: locked: cannot set ra_certprofile.override_port
> to 8443
> 2020-06-08T09:39:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log
> for details:
> AttributeError: locked: cannot set ra_certprofile.override_port to 8443
> 2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See
> /var/log/ipaupgrade.log for more information
>
>
> Regards
>
>
> Bien à vous
> Mr Karim Bourenane
> +33686464439
> +32 493 86 63 54
>
>
>
> Le lun. 8 juin 2020 à 08:56, François Cami  a écrit :
>
>> Hi,
>>
>> On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users
>>  wrote:
>> >
>> > Hello Team
>> >
>> > I have some questions :
>> > 1°) I need your help, to find the better way to upgrade my 3 servers
>> linked (replicat).
>> > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in
>> same time the IPAServer (or separately ?)
>>
>> Not at the same time. The upgrade logic is bound to update some data
>> in LDAP. It is best to wait until the first update is done, and the
>> resulting replication traffic has subsided. Then do the other replica
>> one at a time.
>>
>> > After searching on Freeipa.org and other site, i find :
>> > #ipactl stop
>> > #ipa-server-upgrade
>> > #ipactl start
>>
>> You do not need to do that. "yum update" is enough.
>>
>> > I not need to delete first the replication link before ?
>>
>> Certainly not.
>>
>> > What is the better solution ways ?
>>
>> See above.
>>
>> > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ?
>> > Or i need steps too ?
>>
>> You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.
>>
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating
>>
>> Best regards,
>> François
>>
>> > Thanks you for your help
>> >
>> > Best Regard
>> > Bien à vous
>> > Mr Karim Bourenane
>> > +33686464439
>> > +32 493 86 63 54
>> >
>> > ___
>> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> > To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> > Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> > List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
>>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

2020-06-08 Thread Karim Bourenane via FreeIPA-users

Hello François, All

Thanks you for your answer / update

Here's what I did:
All process RUNNING with : ipactl status
yum update

*I have several error into the yum update command *:
2020-06-08T09:39:42Z ERROR IPA server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2020-06-08T09:39:42Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 54, in run
server.upgrade()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 2146, in upgrade
upgrade_configuration()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 2018, in upgrade_configuration
ca_enable_ldap_profile_subsystem(ca)
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 406, in ca_enable_ldap_profile_subsystem
cainstance.migrate_profiles_to_ldap()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line 1990, in migrate_profiles_to_ldap
api.Backend.ra_certprofile.override_port = 8443
  File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 134, in
__setattr__
SET_ERROR % (self.__class__.__name__, name, value)

2020-06-08T09:39:42Z DEBUG The ipa-server-upgrade command failed,
exception: AttributeError: locked: cannot set ra_certprofile.override_port
to 8443
2020-06-08T09:39:42Z ERROR Unexpected error - see /var/log/ipaupgrade.log
for details:
AttributeError: locked: cannot set ra_certprofile.override_port to 8443
2020-06-08T09:39:42Z ERROR The ipa-server-upgrade command failed. See
/var/log/ipaupgrade.log for more information

Regards

Bien à vous
Mr Karim Bourenane
+33686464439
+32 493 86 63 54

Le lun. 8 juin 2020 à 08:56, François Cami  a écrit :

> Hi,
>
> On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users
>  wrote:
> >
> > Hello Team
> >
> > I have some questions :
> > 1°) I need your help, to find the better way to upgrade my 3 servers
> linked (replicat).
> > I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in
> same time the IPAServer (or separately ?)
>
> Not at the same time. The upgrade logic is bound to update some data
> in LDAP. It is best to wait until the first update is done, and the
> resulting replication traffic has subsided. Then do the other replica
> one at a time.
>
> > After searching on Freeipa.org and other site, i find :
> > #ipactl stop
> > #ipa-server-upgrade
> > #ipactl start
>
> You do not need to do that. "yum update" is enough.
>
> > I not need to delete first the replication link before ?
>
> Certainly not.
>
> > What is the better solution ways ?
>
> See above.
>
> > 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ?
> > Or i need steps too ?
>
> You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating
>
> Best regards,
> François
>
> > Thanks you for your help
> >
> > Best Regard
> > Bien à vous
> > Mr Karim Bourenane
> > +33686464439
> > +32 493 86 63 54
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Planing multi-site deployment

2020-06-08 Thread Willie Lima via FreeIPA-users

Thank you for replying.

Now I understand that concept, It worked for me.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Trust controllers vs. trust agents

2020-06-08 Thread Ronald Wimmer via FreeIPA-users

After an IPA upgrade all of my 8 IPA servers are trust controllers. 
Before the upgrade only half of them were trust controllers. The other 
half were trust agents.


In my opinion not all of them have to be trust controllers. Is it safe 
to remove the controller role on 4 of the 8 servers? If yes, how would I 
do that without breaking anything?


Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Problem with AD users after upgrade

2020-06-08 Thread Ronald Wimmer via FreeIPA-users

On 05.06.20 17:33, Ronald Wimmer via FreeIPA-users wrote:

On 05.06.20 16:24, Ronald Wimmer via FreeIPA-users wrote:
I did an IPA migration from CentOS 7 machines to OL 8.1 following the
procedure as documented in
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating
.

Today I found out that only four of my eight IPA servers do resolve AD
users (tested with id on every IPA server). The setup
procedure did not differ. (except for machine no. 1 which is the CA
renewal master)

AD users are resolved on machines 1, 5, 6 and 8. Machine 2, 3, 4 and 7
do not resolve AD users.

When upgrading we could neither keep hostnames nor IP addresses. Might
this explain the behaviour above? (could the working machines have IPs
of former trust controllers?)

I think I was panicking too early. Because the sssd-db-cache was mounted
in RAM I rebooted the IPA servers sequentially and voilà the problem
disappeared.

Is there any means of checking the IPA installation? I will try
ipa-healthcheck today.

Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

2020-06-08 Thread Florence Blanc-Renaud via FreeIPA-users


On 6/6/20 11:42 AM, Karim Bourenane via FreeIPA-users wrote:

Hello Team

I have some questions :
1°) I need your help, to find the better way to upgrade my 3 servers 
linked (replicat).
I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in 
same time the IPAServer (or separately ?)


Hi,

in order to upgrade each server from centOS 7.6 to CentOS 7.7, you need 
to run "yum update".
This command will also update ipa-* packages and internally call 
ipa-server-upgrade, meaning you don't need to manually call 
ipa-server-upgrade.

Please find more information in "Updating Identity Management" [1].

For multiple servers upgrade, keep in mind that the upgrade needs to be 
done sequentially, i.e upgrade server 1, wait a few minutes for 
replication to propagate changes, upgrade server 2, etc...


HTH,
flo

[1] 
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/updating-migrating#update-ipa




After searching on Freeipa.org and other site, i find :
#ipactl stop
#ipa-server-upgrade
#ipactl start

I not need to delete first the replication link before ?
What is the better solution ways ?

2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ?
Or i need steps too ?

Thanks you for your help

Best Regard
Bien à vous
Mr Karim Bourenane
+33686464439
+32 493 86 63 54

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

2020-06-08 Thread François Cami via FreeIPA-users

Hi,

On Sun, Jun 7, 2020 at 11:13 PM Karim Bourenane via FreeIPA-users
 wrote:
>
> Hello Team
>
> I have some questions :
> 1°) I need your help, to find the better way to upgrade my 3 servers linked 
> (replicat).
> I want to upgrade servers from CentOS 7.6 to CentOS7.7 with update in same 
> time the IPAServer (or separately ?)

Not at the same time. The upgrade logic is bound to update some data
in LDAP. It is best to wait until the first update is done, and the
resulting replication traffic has subsided. Then do the other replica
one at a time.

> After searching on Freeipa.org and other site, i find :
> #ipactl stop
> #ipa-server-upgrade
> #ipactl start

You do not need to do that. "yum update" is enough.

> I not need to delete first the replication link before ?

Certainly not.

> What is the better solution ways ?

See above.

> 2°) Is not better to migrate my IPAServers's to 4.7 or 4.8 version ?
> Or i need steps too ?

You would need to migrate to RHEL8 / CentOS8 to have ipa-4-8.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/migrate-7-to-8_migrating

Best regards,
François

> Thanks you for your help
>
> Best Regard
> Bien à vous
> Mr Karim Bourenane
> +33686464439
> +32 493 86 63 54
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: Problems after replacing SSL certificates

2020-06-08 Thread Florence Blanc-Renaud via FreeIPA-users


On 6/5/20 7:50 PM, John Burns via FreeIPA-users wrote:

I have this exact same error on ipa-certupdate, after deleting certs that 
expired on May 30. Were you able to find any leads in the time since this post?

ipa-certupdate is needed after "ipa-cacert-manage install" commands, prior to 
ipa-server-certinstall.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org



Hi,

I believe this question was already answered in the thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/FDDKNC4JXRUMSI2G4IUE6TFLS3FBRUUH/

If you forgot to run ipa-certupdate on a node, you need to add the new 
CA to /etc/ipa/ca.crt and /etc/ipa/nssdb. After that, ipa-certupdate 
should work.


HTH,
flo
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-healthcheck with fresh replica

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

[Freeipa-users] Re: Problem with AD users after upgrade

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

[Freeipa-users] Re: Planing multi-site deployment

[Freeipa-users] Trust controllers vs. trust agents

[Freeipa-users] Re: Problem with AD users after upgrade

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

[Freeipa-users] Re: Better way to upgrade IPAServer4.6.4 to 4.6.5 + OS 7.6 to 7.7?

[Freeipa-users] Re: Problems after replacing SSL certificates

13 matches

Site Navigation

Mail list logo

Footer information