Re: [Freeipa-users] ipa-replica-conncheck wants listener on port 7389
On 02/28/2017 03:37 AM, Standa Laznicka wrote: Please, rather check what the problem is. Port 7389 is not required for the newer system, but the old 6.x system has to be listening on it so that we can replicate agains the older Dogtag database. From the previous mail I believe you were following the right documentation, https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc, correct? Yes, but I hit this issue when setting up replication from a (temporary) CentOS 7 system back to the newly re-installed system. I believe that I understand the issue. The ipa-replica-conncheck man page at https://linux.die.net/man/1/ipa-replica-conncheck says this: -c, --check-ca Include in a check also a set of dogtag connection requirements. When a replica is self-sign this option is not needed. But the man page in CentOS 7 says: -c, --check-ca Include in a check also a set of dogtag connection requirements. Only needed when the master was installed with Dogtag 9 or lower. As a system administrator who is unfamiliar with the inner workings of FreeIPA, neither version really helped me to figure out if I should be passing that option. (The answer appears to be "yes" when the existing server was CentOS 6, but "no" when the existing server is CentOS 7.) -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-conncheck wants listener on port 7389
On 02/28/2017 09:59 AM, Tomas Krizek wrote: On 02/27/2017 11:24 PM, Ian Pilcher wrote: I'm part way through my CentOS 6 to 7 "upgrade". I've reached the point of trying to set up my new IPA server as a replica of a temporary VM. ipa-replica-conncheck is complaining, because nothing on the temporary server is listening on port 7389. The documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prepping-replica.html Says: In a purely Red Hat Enterprise Linux 7 environment, port 7389 is not required. Which seems to indicate that nothing *should* be listening on that port on a CentOS 7 IPA server. So who's right? And if something (pki-tomcatd?) should be listening on that port, how do I make it do so? Thanks! On a CentOS 7 IPA server, port 7389 should not be required. You can bypass the check with --skip-conncheck when running ipa-replica-install. Please, rather check what the problem is. Port 7389 is not required for the newer system, but the old 6.x system has to be listening on it so that we can replicate agains the older Dogtag database. From the previous mail I believe you were following the right documentation, https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc, correct? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-replica-conncheck wants listener on port 7389
On 02/27/2017 11:24 PM, Ian Pilcher wrote: > I'm part way through my CentOS 6 to 7 "upgrade". I've reached the > point of trying to set up my new IPA server as a replica of a temporary > VM. > > ipa-replica-conncheck is complaining, because nothing on the temporary > server is listening on port 7389. > > The documentation here: > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prepping-replica.html > > > Says: > > In a purely Red Hat Enterprise Linux 7 environment, port 7389 is not > required. > > Which seems to indicate that nothing *should* be listening on that port > on a CentOS 7 IPA server. > > So who's right? And if something (pki-tomcatd?) should be listening on > that port, how do I make it do so? > > Thanks! > On a CentOS 7 IPA server, port 7389 should not be required. You can bypass the check with --skip-conncheck when running ipa-replica-install. -- Tomas Krizek signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-replica-conncheck wants listener on port 7389
I'm part way through my CentOS 6 to 7 "upgrade". I've reached the point of trying to set up my new IPA server as a replica of a temporary VM. ipa-replica-conncheck is complaining, because nothing on the temporary server is listening on port 7389. The documentation here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prepping-replica.html Says: In a purely Red Hat Enterprise Linux 7 environment, port 7389 is not required. Which seems to indicate that nothing *should* be listening on that port on a CentOS 7 IPA server. So who's right? And if something (pki-tomcatd?) should be listening on that port, how do I make it do so? Thanks! -- Ian Pilcher arequip...@gmail.com "I grew up before Mark Zuckerberg invented friendship" -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project