I've just spent two days trying to upgrade our school's Fedora 27 FreeIPA servers to Fedora 28 and kept hitting multiple roadblocks. I finally found this post on the freeipa-users mailing list:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedora hosted.org/thread/BTMTZ4QULRAP6AZDDCXUWWVLMDIODXRP/
It basically says (and I've spent two days attesting to the fact) that FreeIPA isn't actually ready for production use on Fedora 28.
I would like to suggest that, for something as central to the Fedora Server story as FreeIPA is, we should have done at least one of the following:
1. Posted the above message to at least one of the Fedora users/devel/server mailing lists. 2. Put something like the above message in the Fedora 28 release notes. 3. Modularized FreeIPA, putting the current 4.6.90-pre series in a development module, and putting Fedora 27's 4.6.x series in a stable module.
It seems that we knew that FreeIPA wasn't ready well before Fedora 28 was released, so I think we really dropped the ball by not releasing this information sooner and not distributing it more widely.
Jonathan
P.S. For those who care, VM snapshots are wonderful. I restored our FreeIPA servers from snapshots, so any users who changed their password in the last 24 hours or so will have to change it again.