On Fri, Dec 12, 2014 at 3:13 PM, Martin Basti <[email protected]> wrote: > > On 12/12/14 14:57, Gianluca Cecchi wrote: > > Hello, read inline comments. > > Hello, >> I migrated a CentOS 6.6 system with IPA 3.0 to a CentOS 7.0 system with >> IPA 3.3. >> The workflow was the one to create a replica and then decommission the >> old one (that now is with services stopped) with the commands: >> >> on old server: >> ipa-server-install --uninstall >> >> on new server: >> ipa-replica-manage del infra.localdomain.local --force >> >> >> [snip]
> >> It is not clear for me, did you use IPA DNS before upgrade, or you just > install IPA DNS after upgrade? I followed chapter 6 of https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html In IPA 3.0 I preconfigured DNS and then installed IPA with # ipa-server-install and at the end " .... Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos UDP Ports: * 88, 464: kerberos * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password " When I updated to 3.3, as part of the suggested documentation I created the replica file on old server and then used this command on new server: # ipa-replica-install --setup-ca --ip-address=192.168.1.81 -p my_password -w my_password -N --setup-dns --forwarder=192.168.1.254 -U /var/lib/ipa/replica-info-c7server.localdomain.local.gpg And this way it should automatically embed the dns part into IPA, correct? > > It works but the old IPA server hostname (with hostname=infra) is no >> more resovable >> > [snip] > IMO the behavior is expected, deleting old replica 'infra', should remove > the DNS record of replica as well > OK. I was able to access the web gui (this time..) and in fact the infra entry was not present neither in forward nor in reverse zone, so I added it and now it is ok: [root@c7server etc]# nslookup infra Server: 192.168.1.81 Address: 192.168.1.81#53 Name: infra.localdomain.local Address: 192.168.1.62 > try following command to detect if there is the infra replica record in > LDAP > > $ ipa dnsrecord-find localdomain.local > > It now returns 22 entries and also the added one for infra hostname [root@c7server etc]# kinit admin Password for [email protected]: [root@c7server etc]# ipa dnsrecord-find localdomain.local Record name: @ NS record: c7server.localdomain.local. Record name: _kerberos TXT record: LOCALDOMAIN.LOCAL ... Record name: infra A record: 192.168.1.62 ... Thanks, I will check if web UI gives again the problem I had yesterday with the expired session message... Gianluca
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
