Hi Rob, Thanks for your reply.
In our case we need to put in place a procedure/steps that can helps us to
come out from a situation where our complete IPA server setup (original
server and its replica both) is lost/deleted and need to get the same setup
back from the scheduled full-server-backups (through cron jobs) available
at some object storage location.
Please advice.
Thanks,
Saurabh Garg
On Fri, Oct 25, 2019 at 6:12 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Saurabh Garg via FreeIPA-users wrote:
> Background -
> We are trying to restore "full server" from an existing IPA server (with
replication ON to another server) to a newly created IPA Server from the
same golden image as all other servers.
There is no restore with replication on. It would cause endless problems.
Restore is expected to be for a single master in a catastrophic
situation. The others will require re-init from this master.
> Source IPA Server: Red Hat Enterprise Linux Server release 7.7 (Maipo)
> # ipa-server-install --version
> 4.6.4
>
> Destination IPA Server: Red Hat Enterprise Linux Server release 7.7
(Maipo)
> # ipa-server-install --version
> 4.6.4
>
> Problem Statement -
> While running "ipa-restore" (exact command: # ipa-restore
/root/backup/) on the new IPA server for full server backup, system throws
the following error lines in iparestore.log:
>
>
> 2019-10-25T08:19:26Z DEBUG stderr=IPA version error: data needs to be
upgraded (expected version '4.6.4-10.el7_6.6', current version
'4.6.4-10.el7_6.3')
> Automatically running upgrade, for details see /var/log/ipaupgrade.log
> Be patient, this may take a few minutes.
> Automatic upgrade failed: Update complete
> Upgrading the configuration of the IPA services
> [Verifying that root certificate is published]
> [Migrate CRL publish directory]
> Publish directory already set to new location
> [Verifying that CA proxy configuration is correct]
> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
> CA did not start in 300.0s
> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
It is very persnickety. The versions do not match.
There are sometimes subtle differences between versions of IPA, even in
minor releases, so it is not considered safe to restore between versions.
You could hack out the version check and roll the dice, or downgrade the
packages to match the backed-up value.
rob