Thanks Flo, Are there any options available to me to continue using my existing FreeIPA deployment with EL8 clients and indeed to upgrade the FreeIPA infra to 4.7+ which I believe is only available to EL8 - manipulate the current single level domain/realm perhaps?
Or am I faced with replacing the whole deployment with a fresh FreeIPA install using a permitted domain/realm? I suppose the latter involves a large amount of work in exporting/importing users/groups/hbac/automember/sudo/<other> configurations and then having to re-register all of our existing clients (we have many) to the new infra. Thanks Angus ________________________________ From: Florence Blanc-Renaud via FreeIPA-users <freeipa-users@lists.fedorahosted.org> Sent: 03 May 2022 13:37 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Angus Clarke <an...@charworth.com>; Florence Blanc-Renaud <f...@redhat.com> Subject: [Freeipa-users] Re: EL8 ipa upgrade / Single Level Domain Hi, On Tue, May 3, 2022 at 11:59 AM Angus Clarke via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Hello We installed our IPA servers back in EL7.2 days and deployed with a single level domain and matching (uppercased) realm. Through various upgrades we are now at EL7.9 and are aware that the ipa-client-install command has become finickity about single level domains however thus far we have been able to continue joining EL7 clients. I've setup my test environment similarly and have been unsuccessful in trying to upgrade (join new and replace old) these EL7 Freeipa servers to EL8, the ipa-client-install on EL8 skips the single level domain so I'm a bit stuck. Is there a way around this in EL8? As you saw, the installation of single-label domain is forbidden since ipa-4.6.5-1.el7, but the upgrade from older versions is still allowed. Regarding the client, the installation in a single-label IPA domain is possible only with IPA 4.6.x clients (see https://bugzilla.redhat.com/show_bug.cgi?id=1745108<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.redhat.com%2Fshow_bug.cgi%3Fid%3D1745108&data=05%7C01%7C%7C1d2a85ff65f343d25ba508da2d179d8a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637871876703235499%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=lhH0GJxGEYvwRHIqQAkOhKMOIbAge7MebrNaAy%2Bd%2BqI%3D&reserved=0>). It was a deliberate choice to allow RHEL7 clients but stop supporting this type of deployment with RHEL8+. So no workaround with RHEL8... Hope this clarifies, flo EL7 ipa server (ipatest1): ipa-server-4.6.8-5.0.1.el7_9.10.x86_64 EL8 (ipatest2): ipa-server-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64 [root@ipatest2 ~]# ipa-replica-install --setup-ca --ip-address 192.168.180.141 --password=Password1234 --principal=admin --setup-dns --forwarder=192.168.180.100 Configuring client side components This program will set up IPA client. Version 4.9.6 Unable to discover domain, not provided on command line The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information Removing client side components IPA client is not configured on this system. The ipa-client-install command failed. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Configuration of client side components failed! The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@ipatest2 ~]# less /var/log/ipaclient-install.log <-- snip 2022-05-03T08:53:10Z DEBUG [IPA Discovery] 2022-05-03T08:53:10Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=ipatest2.int.test 2022-05-03T08:53:10Z DEBUG Start searching for LDAP SRV record in "int.test" (domain of the hostname) and its sub-d omains 2022-05-03T08:53:10Z DEBUG Search DNS for SRV record of _ldap._tcp.int.test 2022-05-03T08:53:10Z DEBUG DNS record not found: NXDOMAIN 2022-05-03T08:53:10Z DEBUG Search DNS for SRV record of _ldap._tcp.test 2022-05-03T08:53:10Z DEBUG DNS record found: 0 100 389 ipatest1.int.test. 2022-05-03T08:53:10Z DEBUG [Kerberos realm search] 2022-05-03T08:53:10Z DEBUG Search DNS for TXT record of _kerberos.test 2022-05-03T08:53:10Z DEBUG DNS record found: "TEST" 2022-05-03T08:53:10Z DEBUG Skipping invalid realm 'TEST' (single label realms are not supported) 2022-05-03T08:53:10Z DEBUG Search DNS for SRV record of _kerberos._udp.test 2022-05-03T08:53:10Z DEBUG DNS record found: 0 100 88 ipatest1.int.test. 2022-05-03T08:53:10Z DEBUG [LDAP server check] 2022-05-03T08:53:10Z DEBUG Verifying that ipatest1.int.test (realm None) is an IPA server 2022-05-03T08:53:10Z DEBUG Init LDAP connection to: ldap://ipatest1.int.test:389 2022-05-03T08:53:10Z DEBUG Search LDAP server for IPA base DN 2022-05-03T08:53:10Z DEBUG Check if naming context 'dc=test' is for IPA 2022-05-03T08:53:10Z DEBUG Naming context 'dc=test' is a valid IPA context 2022-05-03T08:53:10Z DEBUG Search for (objectClass=krbRealmContainer) in dc=test (sub) 2022-05-03T08:53:10Z DEBUG Found: cn=TEST,cn=kerberos,dc=test 2022-05-03T08:53:10Z DEBUG Skipping invalid realm 'TEST' (single label realms are not supported) 2022-05-03T08:53:10Z DEBUG Discovery result: NOT_IPA_SERVER; server=None, domain=test, kdc=ipatest1.int.test, bas edn=dc=test 2022-05-03T08:53:10Z DEBUG Validated servers: 2022-05-03T08:53:10Z DEBUG No IPA server found <-- snip Thanks Angus _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C01%7C%7C1d2a85ff65f343d25ba508da2d179d8a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637871876703235499%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fq2HnNtFGrHVLdUpffM%2F%2FWrS5lLdR09B%2FzhNHEKlYpU%3D&reserved=0> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C01%7C%7C1d2a85ff65f343d25ba508da2d179d8a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637871876703235499%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rzwlkAXU8e5vZ8cEdW8S5rpGka6E4IX0FvjtMeK5vOU%3D&reserved=0> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=05%7C01%7C%7C1d2a85ff65f343d25ba508da2d179d8a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637871876703391726%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NxFxd7I776b8A%2Be%2BjBUMxtdnVhiO3TuAV9l2E6eDnJQ%3D&reserved=0> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=05%7C01%7C%7C1d2a85ff65f343d25ba508da2d179d8a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637871876703391726%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=69LXu5eTRlU2zbIy8DwLMn9T7e504zOpZFzZUdFkyZQ%3D&reserved=0>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
