On Няд, 26 сту 2025, Dmitry Krasov via FreeIPA-users wrote:
I tryied migrate command again, and got same error: --------------------------------------------------- ipaserver.install.ipa_migrate: INFO: ================================================================================ ipaserver.install.ipa_migrate: INFO: IPA to IPA migration starting ... ipaserver.install.ipa_migrate: INFO: Migration options: ipaserver.install.ipa_migrate: INFO: --mode=prod-mode ipaserver.install.ipa_migrate: INFO: --hostname=ipa.dom.loc ipaserver.install.ipa_migrate: INFO: --verbose=True ipaserver.install.ipa_migrate: INFO: --bind-dn=cn=directory manager ipaserver.install.ipa_migrate: INFO: --bind-pw-file=None ipaserver.install.ipa_migrate: INFO: --cacertfile=None ipaserver.install.ipa_migrate: INFO: --subtree=[] ipaserver.install.ipa_migrate: INFO: --log-file=/var/log/ipa-migrate.log ipaserver.install.ipa_migrate: INFO: --skip-schema=False ipaserver.install.ipa_migrate: INFO: --skip-config=False ipaserver.install.ipa_migrate: INFO: --migrate-dns=False ipaserver.install.ipa_migrate: INFO: --dryrun=False ipaserver.install.ipa_migrate: INFO: --dryrun-record=None ipaserver.install.ipa_migrate: INFO: --force=False ipaserver.install.ipa_migrate: INFO: --quiet=False ipaserver.install.ipa_migrate: INFO: --schema-overwrite=False ipaserver.install.ipa_migrate: INFO: --reset-range=False ipaserver.install.ipa_migrate: INFO: --db-ldif=None ipaserver.install.ipa_migrate: INFO: --schema-ldif=None ipaserver.install.ipa_migrate: INFO: --config-ldif=None ipaserver.install.ipa_migrate: INFO: --no-prompt=False ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fceb476b560> ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldap://ipa.dom.loc conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fceb242c740> ipaserver.install.ipa_migrate: INFO: Found realm from remote server: DOM.LOC ipaserver.install.ipa_migrate: INFO: Migrating schema ... ipaserver.install.ipa_migrate: INFO: Getting schema from the remote server ... ipaserver.install.ipa_migrate: INFO: Retrieved 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrated 0 attributes and 0 objectClasses ipaserver.install.ipa_migrate: INFO: Skipped 1367 attributes and 298 objectClasses ipaserver.install.ipa_migrate: INFO: Migrating configuration ... ipaserver.install.ipa_migrate: INFO: Getting config from the remote server ... ipapython.ipaldap: DEBUG: flushing ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket from SchemaCache ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-DOMAIN-LOC.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fceb476b560> ipaserver.install.ipa_migrate: INFO: Config setting 'nsslapd-exclude-suffix' added: '{remote_vals}' under 'cn=Retro Changelog Plugin,cn=plugins,cn=config' ipaserver.install.ipa_migrate: INFO: Migrating database ... (this make take a while) ipaserver.install.ipa_migrate: INFO: Database search succeeded: type 101 msgid 8 ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Skipping remote host 'fqdn=ipa2.dom.loc,cn=computers,cn=accounts,dc=dom,dc=loc' from 'cn=ipaservers,cn=hostgroups,cn=accounts,dc=dom,dc=loc' ipaserver.install.ipa_migrate: INFO: Skipping remote certificate entry: 'cn=DOM.LOC IPA CA,cn=certificates,cn=ipa,cn=etc,dc=dom,dc=loc' Issuer: CN=Certificate Authority,O=DOM.LOC ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom....@dom.loc,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=ldap/ipa.dom....@dom.loc,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'fqdn=ipa.domain.loc,cn=computers,cn=accounts,dc=domain,dc=loc' attribute 'krbLastSuccessfulAuth' replaced with val '20250126154214Z' old value: ['20250126153127Z'] ipapython.ipaldap: DEBUG: update_entry modlist [(2, 'krbLastSuccessfulAuth', [b'20250126154214Z'])] ipaserver.install.ipa_migrate: INFO: Removed IPA issued userCertificate from: krbprincipalname=HTTP/ipa.dom....@dom.loc,cn=services,cn=accounts,dc=dom,dc=loc ipaserver.install.ipa_migrate: INFO: Entry is different and will be updated: 'krbprincipalname=HTTP/ipa.domain....@domain.loc,cn=services,cn=accounts,dc=domain,dc=loc' attribute 'objectClass' add val 'krbTicketPolicyAux' not in ['krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser', 'ipakrbprincipal', 'top'] ipapython.ipaldap: DEBUG: update_entry modlist [(0, 'objectClass', [b'krbTicketPolicyAux']), (2, 'krbLastSuccessfulAuth', [b'20241116200700Z'])] ipaserver.install.ipa_migrate: ERROR: Failed to update "krbprincipalname=HTTP/ipa.domain....@domain.loc,cn=services,cn=accounts,dc=domain,dc=loc" error: Type or value exists
Thanks, this means more work is needed on this. Since you have created a ticket, team will look into it. Please note that the upcoming couple weeks are challenging as we'll have FOSDEM next weekend and will be travelling/runing FOSDEM IAM devroom. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
