Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)

2015-03-12 Thread Martin Kosek
On 03/10/2015 03:06 PM, Alexander Bokovoy wrote:
 On Tue, 10 Mar 2015, Benjamin Reed wrote:
 On 3/10/15 9:31 AM, Alexander Bokovoy wrote:
 Are you following these instructions?
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html



 Aha!  No.  There are so many false positives in google I had no idea
 that document existed.  Pretty much everything I've found that links to
 how to migrate takes me to this:

 http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS


 ...which in turn pointed to this:

 http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html


 I didn't see anything about RHEL6-RHEL7 or FreeIPA 3.0-3.3
 http://www.freeipa.org/page/Documentation unless I missed it.  The 3.3
 section on there is pretty much just a collection of things about new
 features.  (And a presentation deck that points to that first link above...)
 We have http://www.freeipa.org/page/Documentation#User_Guides and going
 through user guide would be our recommended action. There is a whole
 chapter 6 in RHEL7 docs for upgrades and migration.

Hmm, I looked in FreeIPA.org and saw that about a dozen of pages still pointed
to the old, abandoned (http://www.freeipa.org/page/Upstream_User_Guide) Fedora
guides. I went through the pages and changed them all to point to the most up
to date user guide - RHEL-7 guide.

I also added a link to the RHEL-7 migration guide to the FreeIPA.org migration
page, for additional information:

http://www.freeipa.org/page/Howto/Migration#Migrating_Identity_Management_in_RHEL.2FCentOS

If you know about more sources like that, please tell me or update the page.

Thanks,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)

2015-03-12 Thread Steven Jones
Hi,

Currently it seems that IPA on RHEL6.6 is broken in terms of adding a RHEL7.1 
replica to it. ie following the document linked to below.

Should be a BZ case on it shortly via RH support (RH case number 01290601) for 
an updated 389 rpm for 6.6.

I assume it will be the same for Centos 7.x  as your base is RHEL6.6.

Unless there is an already fixed 389/6.6 package somewhere I can try?   Its a 
test bed for the actual upgrade so if it blows no biggee, anything to get this 
advanced!

regards

Steven 

8---

 Are you following these instructions?
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html

8---

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)

2015-03-10 Thread Alexander Bokovoy

On Tue, 10 Mar 2015, Benjamin Reed wrote:

I'm attempting to migrate FreeIPA from an RHEL6 server to a CentOS7 server.

When I run ipa-replica-install to set up the CentOS7 server, I get the
following error:


ipa : CRITICAL The master CA directory server does not have
necessary schema. Please copy the following script to all CA masters
and run it on them: /usr/share/ipa/copy-schema-to-ca.py
If you are certain that this is a false positive, use --skip-schema-check.
IPA schema missing on master CA directory server


Is it safe to run this script on the RHEL6 server?  Is it a false
positive I should ignore?  What is the best way to transition?

Are you following these instructions?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)

2015-03-10 Thread Benjamin Reed
On 3/10/15 9:31 AM, Alexander Bokovoy wrote:
 Are you following these instructions?
 https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html


Aha!  No.  There are so many false positives in google I had no idea
that document existed.  Pretty much everything I've found that links to
how to migrate takes me to this:

http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS

...which in turn pointed to this:

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html

I didn't see anything about RHEL6-RHEL7 or FreeIPA 3.0-3.3
http://www.freeipa.org/page/Documentation unless I missed it.  The 3.3
section on there is pretty much just a collection of things about new
features.  (And a presentation deck that points to that first link above...)

Anyways, thank you for the link.  That makes it much clearer.

I do have one problem now. I currently have the following systems:

connect: RHEL6, FreeIPA master
auth.internal: CentOS6, FreeIPA replica
auth: CentOS7, migration target

Following the instructions you linked, I ran the copy-schema-to-ca.py
script on connect, and it completed successfully.  I then tried to run
it on auth.internal (the CentOS6 replica) and it fails with this error:

 python copy-schema-to-ca.py
 Traceback (most recent call last):
   File copy-schema-to-ca.py, line 85, in module
 main()
   File copy-schema-to-ca.py, line 79, in main
 add_ca_schema()
   File copy-schema-to-ca.py, line 42, in add_ca_schema
 pki_pent = pwd.getpwnam(PKI_USER)
 KeyError: 'getpwnam(): name not found: pkiuser'

...am I supposed to run this script the replica as well?  Or is
something broken on my replica?

Thanks,
Ben

-- 
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)

2015-03-10 Thread Alexander Bokovoy

On Tue, 10 Mar 2015, Benjamin Reed wrote:

On 3/10/15 9:31 AM, Alexander Bokovoy wrote:

Are you following these instructions?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html



Aha!  No.  There are so many false positives in google I had no idea
that document existed.  Pretty much everything I've found that links to
how to migrate takes me to this:

http://www.freeipa.org/page/Howto/Migration#Migrating_to_different_platform_or_OS

...which in turn pointed to this:

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Setting_up_IPA_Replicas.html

I didn't see anything about RHEL6-RHEL7 or FreeIPA 3.0-3.3
http://www.freeipa.org/page/Documentation unless I missed it.  The 3.3
section on there is pretty much just a collection of things about new
features.  (And a presentation deck that points to that first link above...)

We have http://www.freeipa.org/page/Documentation#User_Guides and going
through user guide would be our recommended action. There is a whole
chapter 6 in RHEL7 docs for upgrades and migration.


Anyways, thank you for the link.  That makes it much clearer.

I do have one problem now. I currently have the following systems:

connect: RHEL6, FreeIPA master
auth.internal: CentOS6, FreeIPA replica
auth: CentOS7, migration target

Following the instructions you linked, I ran the copy-schema-to-ca.py
script on connect, and it completed successfully.  I then tried to run
it on auth.internal (the CentOS6 replica) and it fails with this error:


python copy-schema-to-ca.py
Traceback (most recent call last):
  File copy-schema-to-ca.py, line 85, in module
main()
  File copy-schema-to-ca.py, line 79, in main
add_ca_schema()
  File copy-schema-to-ca.py, line 42, in add_ca_schema
pki_pent = pwd.getpwnam(PKI_USER)
KeyError: 'getpwnam(): name not found: pkiuser'


...am I supposed to run this script the replica as well?  Or is
something broken on my replica?

Looks like you don't have CA installed on auth.internal so you don't
need to update CA schema there.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Migration from RHEL6 (3.0.0-42) to CentOS7 (3.3.3-28.0.1)

2015-03-10 Thread Benjamin Reed
On 3/10/15 10:06 AM, Alexander Bokovoy wrote:
 We have http://www.freeipa.org/page/Documentation#User_Guides and going
 through user guide would be our recommended action. There is a whole
 chapter 6 in RHEL7 docs for upgrades and migration.

Ah, I see it now.  I had no idea from the name that  Linux Domain
Identity, Authentication and Policy Guide for RHEL 7 referred to the
general user/admin guide.  As a newb to FreeIPA and domain management in
general, it looked like word soup.  Sorry for the noise.  :P

 Looks like you don't have CA installed on auth.internal so you don't
 need to update CA schema there. 

Great.

So I started the install on the CentOS7 machine, and it almost
completed, but failed out with this error:

 Configuring certificate server (pki-tomcatd): Estimated time 3 minutes
 30 seconds
   [1/19]: creating certificate server user
   [2/19]: configuring certificate server instance
 ipa : CRITICAL failed to configure ca instance Command
 '/usr/sbin/pkispawn -s CA -f /tmp/tmp2_03I3' returned non-zero exit
 status 1

In the ipareplica-install.log file, I find this:

 Storing deployment configuration into
 /etc/sysconfig/pki/tomcat/pki-tomcat/ca/deployment.cfg.
 Installation failed.


 2015-03-10T14:12:04Z DEBUG stderr=pkispawn: WARNING  ...
 unable to validate security domain user/password through REST
 interface. Interface not available
 pkispawn: ERROR... Exception from Java Configuration
 Servlet: Error while updating security domain: java.io.IOException:
 java.io.IOException: SocketException cannot read on socket

 2015-03-10T14:12:04Z CRITICAL failed to configure ca instance Command
 '/usr/sbin/pkispawn -s CA -f /tmp/tmp2_03I3' returned non-zero exit
 status 1
 2015-03-10T14:12:04Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line 638, in run_script

I ran `ipa-server-install --uninstall` to undo everything, as it
suggested.  Then I generated a new replica file on the RHEL6 machine
with `ipa-replica-prepare` and tried the install again.  This time, it
successfully finishes, but the last thing it says is:

 Done configuring directory server (dirsrv).
 A CA is already configured on this system.

...which makes me think it just didn't undo everything when I did
`ipa-server-install --uninstall` and the CA isn't actually set up
properly.  Is there a good way to confirm everything is actually working
as expected?

Thanks,
Ben


-- 
Benjamin Reed
The OpenNMS Group
http://www.opennms.org/



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project