Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On 03/10/2015 03:06 PM, Alexander Bokovoy wrote: On Tue, 10 Mar 2015, Benjamin Reed wrote: On 3/10/15 9:31 AM, Alexander Bokovoy wrote: Are you following these instructions? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html Aha! No. There are so many false positives in google I had no idea that document existed. Pretty much everything I've found that links to how to migrate takes me to this: http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS ...which in turn pointed to this: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html I didn't see anything about RHEL6-RHEL7 or FreeIPA 3.0-3.3 http://www.freeipa.org/page/Documentation unless I missed it. The 3.3 section on there is pretty much just a collection of things about new features. (And a presentation deck that points to that first link above...) We have http://www.freeipa.org/page/Documentation#User_Guides and going through user guide would be our recommended action. There is a whole chapter 6 in RHEL7 docs for upgrades and migration. Hmm, I looked in FreeIPA.org and saw that about a dozen of pages still pointed to the old, abandoned (http://www.freeipa.org/page/Upstream_User_Guide) Fedora guides. I went through the pages and changed them all to point to the most up to date user guide - RHEL-7 guide. I also added a link to the RHEL-7 migration guide to the FreeIPA.org migration page, for additional information: http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS If you know about more sources like that, please tell me or update the page. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
Hi, Currently it seems that IPA on RHEL6.6 is broken in terms of adding a RHEL7.1 replica to it. ie following the document linked to below. Should be a BZ case on it shortly via RH support (RH case number 01290601) for an updated 389 rpm for 6.6. I assume it will be the same for Centos 7.x as your base is RHEL6.6. Unless there is an already fixed 389/6.6 package somewhere I can try? Its a test bed for the actual upgrade so if it blows no biggee, anything to get this advanced! regards Steven 8--- Are you following these instructions? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html 8--- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
I'm attempting to migrate FreeIPA from an RHEL6 server to a CentOS7 server. When I run ipa-replica-install to set up the CentOS7 server, I get the following error: ipa : CRITICAL The master CA directory server does not have necessary schema. Please copy the following script to all CA masters and run it on them: /usr/share/ipa/copy-schema-to-ca.py If you are certain that this is a false positive, use --skip-schema-check. IPA schema missing on master CA directory server Is it safe to run this script on the RHEL6 server? Is it a false positive I should ignore? What is the best way to transition? Thanks, Ben -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On Tue, 10 Mar 2015, Benjamin Reed wrote: I'm attempting to migrate FreeIPA from an RHEL6 server to a CentOS7 server. When I run ipa-replica-install to set up the CentOS7 server, I get the following error: ipa : CRITICAL The master CA directory server does not have necessary schema. Please copy the following script to all CA masters and run it on them: /usr/share/ipa/copy-schema-to-ca.py If you are certain that this is a false positive, use --skip-schema-check. IPA schema missing on master CA directory server Is it safe to run this script on the RHEL6 server? Is it a false positive I should ignore? What is the best way to transition? Are you following these instructions? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On 3/10/15 9:31 AM, Alexander Bokovoy wrote: Are you following these instructions? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html Aha! No. There are so many false positives in google I had no idea that document existed. Pretty much everything I've found that links to how to migrate takes me to this: http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS ...which in turn pointed to this: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html I didn't see anything about RHEL6-RHEL7 or FreeIPA 3.0-3.3 http://www.freeipa.org/page/Documentation unless I missed it. The 3.3 section on there is pretty much just a collection of things about new features. (And a presentation deck that points to that first link above...) Anyways, thank you for the link. That makes it much clearer. I do have one problem now. I currently have the following systems: connect: RHEL6, FreeIPA master auth.internal: CentOS6, FreeIPA replica auth: CentOS7, migration target Following the instructions you linked, I ran the copy-schema-to-ca.py script on connect, and it completed successfully. I then tried to run it on auth.internal (the CentOS6 replica) and it fails with this error: python copy-schema-to-ca.py Traceback (most recent call last): File copy-schema-to-ca.py, line 85, in module main() File copy-schema-to-ca.py, line 79, in main add_ca_schema() File copy-schema-to-ca.py, line 42, in add_ca_schema pki_pent = pwd.getpwnam(PKI_USER) KeyError: 'getpwnam(): name not found: pkiuser' ...am I supposed to run this script the replica as well? Or is something broken on my replica? Thanks, Ben -- Benjamin Reed The OpenNMS Group http://www.opennms.org/ signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)
On Tue, 10 Mar 2015, Benjamin Reed wrote: On 3/10/15 9:31 AM, Alexander Bokovoy wrote: Are you following these instructions? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html Aha! No. There are so many false positives in google I had no idea that document existed. Pretty much everything I've found that links to how to migrate takes me to this: http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS ...which in turn pointed to this: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html I didn't see anything about RHEL6-RHEL7 or FreeIPA 3.0-3.3 http://www.freeipa.org/page/Documentation unless I missed it. The 3.3 section on there is pretty much just a collection of things about new features. (And a presentation deck that points to that first link above...) We have http://www.freeipa.org/page/Documentation#User_Guides and going through user guide would be our recommended action. There is a whole chapter 6 in RHEL7 docs for upgrades and migration. Anyways, thank you for the link. That makes it much clearer. I do have one problem now. I currently have the following systems: connect: RHEL6, FreeIPA master auth.internal: CentOS6, FreeIPA replica auth: CentOS7, migration target Following the instructions you linked, I ran the copy-schema-to-ca.py script on connect, and it completed successfully. I then tried to run it on auth.internal (the CentOS6 replica) and it fails with this error: python copy-schema-to-ca.py Traceback (most recent call last): File copy-schema-to-ca.py, line 85, in module main() File copy-schema-to-ca.py, line 79, in main add_ca_schema() File copy-schema-to-ca.py, line 42, in add_ca_schema pki_pent = pwd.getpwnam(PKI_USER) KeyError: 'getpwnam(): name not found: pkiuser' ...am I supposed to run this script the replica as well? Or is something broken on my replica? Looks like you don't have CA installed on auth.internal so you don't need to update CA schema there. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project