Hello, My existing FreeIPA 3.0 (CentOS 6) setup is as follows:
Kerberos Realm: test.com I have several DNS zones test.com dev.test.com stage.test.com qa.test.com prod.test.com mgmt.test.com ipa01.mgmt.test.com - FreeIPA 3.0 Master ipa02.mgmt.test.com - FreeIPA 3.0 Replica The FreeIPA servers actually reside in mgmt.test.com. test.com in FreeIPA 3 has forwarding DNS servers configured. We are going to move to FreeIPA 4.2 (CentOS 7) and here is the path I have tested that appears to work. I followed this guide. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html 1 Create an IPA 4 server (ipa03.mgmt.test.com) that is a replica of the IPA 3 master server (ipa01.mgmt.test.com) 2 Remove replica agreement for ipa02.mgmt.test.com on IPA 3 master ( ipa01.mgmt.test.com) 3 Shutdown ipa02.mgmt.test.com to prep for an IPA 4 server to take its place 4 Build a new server and install IPA 4 server that will become a new ipa02.mgmt.test.com 5 Make ipa02.mgmt.test.com a replica of ipa03.mgmt.test.com 6 Make ipa02.mgmt.test.com the master CRL server instead of ipa01.mgmt.test.com 7 Shutdown ipa01.mgmt.test.com to prep for an IPA 4 server to take its place 8 Build a new server and install IPA 4 server that will become a new ipa01.mgmt.test.com 9 Make ipa01.mgmt.test.com a replica of ipa02.mgmt.test.com The reason for removing old servers to take the place of new servers is so that I can reuse the IP addresses and do not need to change DNS entries on any client The problem occurs when I realize that the test.com zone needs to be a forwarded zone in IPA 4 but in IPA 3 is it a normal DNS zone and I need to have test.com be a forwarded zone. In IPA 3 there is no entry for ipa-ca.test.com but I do see it in IPA 4. In my testing I have removed the test.com zone and made it a forwarding zone but that removes the entry for ipa-ca.test.com as well as all the test.com kerberos entries. What I do not know is what did I break when I removed test.com since it is the Kerberos realm. It appears that replication between the servers still works and I was able to add a IPA 4 client server without issue. We plan on using certs generated from IPA 4 for OpenVPN but I do not have enough information to know if the removal of the test.com zone will break that certificate validation and revocation since the ipa-ca.test.com DNS entry no longer exists. I believe where I went wrong was that I should have setup mgmt.test.com as the Kerberos realm rather than test.com and I would not have the questions I do now. Thank you for your help. *Mike Plemmons | Senior DevOps Engineer* 614-741-5475 mike.plemm...@crosschx.com www.crosschx.com
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project