Re: Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master
On Tue, Aug 6, 2019 at 3:55 PM Auerbach, Steven Steven.Auerbach@flbog.edu wrote:
Pure genius. FQDN on ipa commands..... Unless I read the documentation cover-to-cover before starting anything I would never have found this. Thanks.
Our (collective) pleasure to help. Thanks for thanking us :)
François
-Steven Auerbach
-----Original Message----- From: François Cami fcami@redhat.com Sent: Tuesday, August 6, 2019 9:28 AM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Rob Crittenden rcritten@redhat.com; Auerbach, Steven Steven.Auerbach@flbog.edu Subject: Re: [Freeipa-users] Re: Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master
On Tue, Aug 6, 2019 at 2:59 PM Auerbach, Steven via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
When I add the --no-lookup option on the v4.6.4 ipa server I get the same results I received on the v3.0.0 server: " Cannot find ipa<#> in public server list"
Are you using the FQDN of your IPA servers? The ipa-replica-manage command will not find IPA servers by their shortnames (and that's expected).
If I cannot even verify these servers in the group, how am I supposed to test the integrity of current inter-version replication? And how will I ever migrate the whole directory and all the inter-related services of IPA to two new servers of version 4.6.4? The functions do not appear to work as documented, and my trust that the command operations will behave as documented is really shaken.
Is my best option to build a new IPA server pair in version 4.6.4 and de-enroll all the clients and users from the older v3.0.0 IPA and then enroll them into the v4.6.4 IPA?
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Monday, August 5, 2019 5:16 PM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Auerbach, Steven Steven.Auerbach@flbog.edu Subject: Re: [Freeipa-users] Re: Replacing IPA v3.0.0-51 on OEL6 with IPA v4.6.4-10 on OEL7: Making the newest replica the master
Auerbach, Steven via FreeIPA-users wrote:
From the master-master original IPA v3.0.0 server - <ipa1> - I ran and received the following responses: NOTE: using aliases within arrow points for ambiguation.
[<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa1>' [sudo] password for <user>: Cannot find <ipa1> in public server list
[<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa2>' Directory Manager password:
Cannot find <ipa2> in public server list
[<user>@<ipa1> ~]$ sudo ipa-replica-manage list -v '<ipa3>' Directory Manager password:
Cannot find <ipa3> in public server list
It is looking for the list of masters in cn=masters,cn=ipa,cn=etc,dc=example,dc=com. I'd search that to see what is there.
A plain ipa-replica-manage list will list all masters and IIRC they do show.
From the replica-master server recently made with IPA v4.6.5 - <ipa3> - I ran and received the following responses: NOTE: using aliases within arrow points for ambiguation.
[<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa1>' [sudo] password for <user>: Unknown host <ipa1>: Host '<ipa1>' does not have corresponding DNS A/AAAA record
[<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa2>' Directory Manager password:
Unknown host ipa-r02: Host 'ipa-r02' does not have corresponding DNS A/AAAA record
[<user>@<ipa3> ~]$ sudo ipa-replica-manage list -v '<ipa3>' Directory Manager password:
Unknown host ipa03: Host 'ipa03' does not have corresponding DNS A/AAAA record
Try adding --no-lookup to the command to skip the lookup.
rob
Steven Auerbach Assistant Director of Information Systems Information Technology & Security State University System of Florida Board of Governors 325 W. Gaines Street, Suite 1625 Tallahassee, Florida 32399 (850) 245-9592 Steven.auerbach@flbog.edu
freeipa-users@lists.fedorahosted.org
-
François Cami