[Freeipa-users] RHEL 7 Upgrade experience so far

[Erinn Looney-Triggs]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Well it hasn't been all the pretty trying to move from RHEL 6.5 to
RHEL 7.

I have two servers providing my ipa instances ipa and ipa2. Given that
I don't have a great deal of spare capacity the plan was to remove
ipa2 from the replication agreement, modify DNS so that only IPA was
available in SRV logs (IPA does not manage DNS at this point, was
waiting for DNSSEC). As well, I would change my sudo-ldap config files
to point to ipa and remove ipa2.

Well that all worked well, installed RHEL 7 on the system and began
working through the steps in the upgrade guide.

First major problem was running into this bug:
https://fedorahosted.org/freeipa/ticket/4375
ValueError: nsDS5ReplicaId has 2 values, one expected.

Went and patched the replication.py file to get around that issue, and
we moved on.

Next up is my current issue: Exception from Java Configuration
Servlet: Clone does not have all the required certificates.

I suspect this is because I am running the CA as a subordinate to an
AD CS instance, but I am unsure at this point.

It has been a haul to get here, despite the short explanation. It
seems that my primary ipa instance is working on only a hit or miss
basis for kerberos tickets which has made all this a bit of a pain.
You can kinit as admin once it will fail unable to find KDC, try again
another three times, it will work. I have even modified the krb5.conf
file to point directly at the server, thus bypassing DNS SRV lookups,
however, that hasn't worked.

Point is, any help would be appreciated on the aforementioned error.

- -Erinn
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJT1EbkAAoJEFg7BmJL2iPOscwH/1ghb+CrY0raAanuTGbITL7R
eTuJKEPbHB3bfSo0Qt3gBKsOQiCo3vsX26LqmKVOPudNUlI4G49kqqPfrUjxoBuN
XrCRWcInTKA0pfzPuIKzueSinYR+d1x48J2tJkMovdYJwn8VaYoxadYaBFinj8/X
UFTBr7QWH0HO+/gIhyvfA5/V/0OHqNa+EbVuu61FlfjxYNSYLKPU2UDhXeV0T9DJ
R9MgeEPh7XUdhhiAIV9ccyqchS1kzWKALEetNJNDdZafuAhQOY/5LNyPYiZ8CVu4
yX3875zp4Rz8EDud9vVTfMTWGONVJ5LsEnr5NtBAyfDW5R8SM5HQUVI46vlsaJw=
=CJP5
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] RHEL 7 Upgrade experience so far

[Erinn Looney-Triggs]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 07/26/2014 05:25 PM, Erinn Looney-Triggs wrote:
 Well it hasn't been all the pretty trying to move from RHEL 6.5 to 
 RHEL 7.
 
 I have two servers providing my ipa instances ipa and ipa2. Given
 that I don't have a great deal of spare capacity the plan was to
 remove ipa2 from the replication agreement, modify DNS so that only
 IPA was available in SRV logs (IPA does not manage DNS at this
 point, was waiting for DNSSEC). As well, I would change my
 sudo-ldap config files to point to ipa and remove ipa2.
 
 Well that all worked well, installed RHEL 7 on the system and
 began working through the steps in the upgrade guide.
 
 First major problem was running into this bug: 
 https://fedorahosted.org/freeipa/ticket/4375 ValueError:
 nsDS5ReplicaId has 2 values, one expected.
 
 Went and patched the replication.py file to get around that issue,
 and we moved on.
 
 Next up is my current issue: Exception from Java Configuration 
 Servlet: Clone does not have all the required certificates.
 
 I suspect this is because I am running the CA as a subordinate to
 an AD CS instance, but I am unsure at this point.
 
 It has been a haul to get here, despite the short explanation. It 
 seems that my primary ipa instance is working on only a hit or
 miss basis for kerberos tickets which has made all this a bit of a
 pain. You can kinit as admin once it will fail unable to find KDC,
 try again another three times, it will work. I have even modified
 the krb5.conf file to point directly at the server, thus bypassing
 DNS SRV lookups, however, that hasn't worked.
 
 Point is, any help would be appreciated on the aforementioned
 error.
 
 -Erinn
 

To reply to myself here, I believe the problem may be that I had to
renew the CA certificates and as such the certificates in
/root/cacert.p12 are no longer valid. It is this file that gets
bundled up with whatever else using ipa-replica-prepare, so I will
have to create a new one that has the valid certificates in it.

One way or another though, if it isn't already documented, during a CA
renewal this file should probably be updated with the correct
certificates.

- -Erinn

- -Erinn


-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCAAGBQJT1GAjAAoJEFg7BmJL2iPO1BsIAIVSC2p7bR1mHSG9VVbJq6Uk
ostO/9Yh1ro8pgAWXbRnGJphDlfHhot+aauITsuFzIVSUk4rw7nTYA2jynROmjQJ
8mUEXap3i7GOnonHmZmUL3wrhiBVmkNWIizUZV3uIQ9/FKgUpTcflpeUqm/lUzxj
FeaQ3QOVeizdib2r+QkFLjF6nMYRZ7FTPIdXZiilVkG1TkEDK2V3LpZfnN5LBgNf
AzsnA0opUxNWvPeorFBD2RV20rVsTTf424S8nqseP1yALUIh4hc9xk6qivB+7DdF
MXI85uSGj30p1Wk3kIEWlUNU/mkmN0wQL2NcMTCJMrLrLbUQ9c+AvGNdmhBv8s4=
=74l8
-END PGP SIGNATURE-

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project