subject:"Re\: \[Freeipa\-users\] some problems after migrating from 3.0 to 3.3"

Re: [Freeipa-users] some problems after migrating from 3.0 to 3.3

2014-12-12 Thread Gianluca Cecchi

On Fri, Dec 12, 2014 at 3:13 PM, Martin Basti  wrote:
>
> On 12/12/14 14:57, Gianluca Cecchi wrote:
>
> Hello, read inline comments.
>
>  Hello,
>> I migrated a CentOS 6.6 system with IPA 3.0 to a CentOS 7.0 system with
>> IPA 3.3.
>> The workflow was the one to create a replica and then decommission the
>> old one (that now is with services stopped) with the commands:
>>
>> on old server:
>>  ipa-server-install --uninstall
>>
>> on new server:
>>  ipa-replica-manage del infra.localdomain.local --force
>>
>>
>> [snip]

>
>>  It is not clear for me, did you use IPA DNS before upgrade, or you just
> install IPA DNS after upgrade?


I followed chapter 6 of
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

In IPA 3.0 I preconfigured DNS and then installed IPA with
# ipa-server-install
and at the end

"

Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
  * 80, 443: HTTP/HTTPS
  * 389, 636: LDAP/LDAPS
  * 88, 464: kerberos
UDP Ports:
  * 88, 464: kerberos
  * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password
"

When I updated to 3.3, as part of the suggested documentation I created the
replica file on old server and then used this command on new server:
# ipa-replica-install --setup-ca --ip-address=192.168.1.81 -p my_password
-w my_password -N --setup-dns --forwarder=192.168.1.254 -U
/var/lib/ipa/replica-info-c7server.localdomain.local.gpg

And this way it should automatically embed the dns part into IPA, correct?


>
>  It works but the old IPA server hostname (with hostname=infra)  is no
>> more resovable
>>
>
[snip]


> IMO the behavior is expected, deleting old replica 'infra', should remove
> the DNS record of replica as well
>

OK. I was able to access the web gui (this time..) and in fact the infra
entry was not present neither in forward nor in reverse zone, so I added it
and now it is ok:

[root@c7server etc]# nslookup infra
Server: 192.168.1.81
Address:192.168.1.81#53

Name:   infra.localdomain.local
Address: 192.168.1.62



> try following command to detect if there is the infra replica record in
> LDAP
>
> $ ipa dnsrecord-find localdomain.local
>
>
It now returns 22 entries and also the added one for infra hostname

 [root@c7server etc]# kinit admin
Password for admin@LOCALDOMAIN.LOCAL:
[root@c7server etc]#  ipa dnsrecord-find localdomain.local
  Record name: @
  NS record: c7server.localdomain.local.

  Record name: _kerberos
  TXT record: LOCALDOMAIN.LOCAL

...

 Record name: infra
  A record: 192.168.1.62

...

Thanks,
I will check if web UI gives again the problem I had yesterday with the
expired session message...

Gianluca
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] some problems after migrating from 3.0 to 3.3

2014-12-12 Thread Martin Basti


On 12/12/14 14:57, Gianluca Cecchi wrote:

Hello, read inline comments.


Hello,
I migrated a CentOS 6.6 system with IPA 3.0 to a CentOS 7.0 system 
with IPA 3.3.
The workflow was the one to create a replica and then decommission the 
old one (that now is with services stopped) with the commands:


on old server:
 ipa-server-install --uninstall

on new server:
 ipa-replica-manage del infra.localdomain.local --force





- in CentOS 6.6 I had IPA with bind (9.8.2-0.23.rc1.el6_5.1), 
configured with plain files:

# ll /var/named/data/*zone
-rw-r--r-- 1 root root 1244 Dec  6 14:35 /var/named/data/forward.zone
-rw-r--r-- 1 root root  912 Dec  6 14:35 /var/named/data/reverse.zone

After migration the bind configuration has been put under IPA with 
these lines in named.conf:


dynamic-db "ipa" {
library "ldap.so";
arg "uri ldapi://%2fvar%2frun%2fslapd-LOCALDOMAIN-LOCAL.socket";
arg "base cn=dns, dc=localdomain,dc=local";
arg "fake_mname c7server.localdomain.local.";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "sasl_user DNS/c7server.localdomain.local";
arg "serial_autoincrement yes";
};

It is not clear for me, did you use IPA DNS before upgrade, or you just 
install IPA DNS after upgrade?


It works but the old IPA server hostname (with hostname=infra)  is no 
more resovable

I have that
nslookup hostname
works for every host that was previously defined inside the zone but 
the previous ipa server...

(new ipa and dns server is c7server and has ip 192.168.1.81)

[root@c7server etc]# nslookup infra
Server: 192.168.1.81
Address:192.168.1.81#53

** server can't find infra: NXDOMAIN

[root@c7server etc]# nslookup vc1
Server: 192.168.1.81
Address:192.168.1.81#53

Name:   vc1.localdomain.local
Address: 192.168.1.92




IMO the behavior is expected, deleting old replica 'infra', should 
remove the DNS record of replica as well


try following command to detect if there is the infra replica record in LDAP

$ ipa dnsrecord-find localdomain.local



--
Martin Basti

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] some problems after migrating from 3.0 to 3.3

Re: [Freeipa-users] some problems after migrating from 3.0 to 3.3

2 matches

Site Navigation

Mail list logo

Footer information