<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Oleg, <br>
thanks for access to your machine, the replication agreements are
still there - and that is expected since the server was not removed.<br>
<br>
In the access log I see:<br>
<br>
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 SRCH
base="cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"
scope=2 filter="(objectClass=*)" attrs=ALL<br>
[09/Jun/2015:08:32:42 -0400] conn=150 op=52 RESULT err=0 tag=101
nentries=8 etime=0 notes=U<br>
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 DEL
dn="cn=KDC,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"<br>
[09/Jun/2015:08:32:42 -0400] conn=150 op=53 RESULT err=0 tag=107
nentries=0 etime=0 csn=5576dceb000600040000<br>
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 DEL
dn="cn=KPASSWD,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"<br>
[09/Jun/2015:08:32:42 -0400] conn=150 op=54 RESULT err=0 tag=107
nentries=0 etime=0 csn=5576dceb000700040000<br>
[09/Jun/2015:08:32:42 -0400] conn=150 op=55 DEL
dn="cn=MEMCACHE,cn=f22replica1.bagam.net,cn=masters,cn=ipa,cn=etc,dc=bagam,dc=net"<br>
[09/Jun/2015:08:32:43 -0400] conn=150 op=55 RESULT err=0 tag=107
nentries=0 etime=1 csn=5576dcec000100040000<br>
[09/Jun/2015:08:32:43 -0400] conn=150 op=56 UNBIND<br>
<br>
the search for cn=f22replica1.bagam.net,cn=masters,.... returns 8
entries, which then should be deleted, but only 3 ae deleted and the
<br>
cn=f22replica1.bagam.net,cn=masters,... entry is not deleted, so the
topology segments are not deleted, and the agreement is not removed.<br>
<br>
I don't know why ipa-replica-manage del does stop deleting services
and the master entry<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 06/09/2015 04:25 PM, Oleg Fayans
wrote:<br>
</div>
<blockquote cite="mid:5576F755.7080809@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 06/09/2015 04:19 PM, Ludwig
Krispenz wrote:<br>
</div>
<blockquote cite="mid:5576F5E6.2030502@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<div class="moz-cite-prefix">On 06/09/2015 04:14 PM, Oleg Fayans
wrote:<br>
</div>
<blockquote cite="mid:5576F4D8.80907@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<br>
<div class="moz-cite-prefix">On 06/09/2015 04:04 PM, Ludwig
Krispenz wrote:<br>
</div>
<blockquote cite="mid:5576F26C.7010802@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<br>
<div class="moz-cite-prefix">On 06/09/2015 03:55 PM, Oleg
Fayans wrote:<br>
</div>
<blockquote cite="mid:5576F055.2060603@redhat.com"
type="cite">Hi everybody, <br>
<br>
The current status of Topology plugin testing is as
follows: <br>
<br>
1. There is still no proper way of removing the replica. <br>
Standard procedure using `ipa-replica-manage del` throws
"Server is unwilling to perform: Entry is managed by
topology plugin.Deletion not allowed.". </blockquote>
yes, that is for the first attempt to directly remove the
agreement, but when the server is removed the agreements
should be removed<br>
</blockquote>
We should probably think of less threatening error message in
this case. Just from reading the command output one might
conclude that replica removal failed. <br>
<blockquote cite="mid:5576F26C.7010802@redhat.com" type="cite">
<blockquote cite="mid:5576F055.2060603@redhat.com"
type="cite">The replication agreement though does get
deleted, </blockquote>
then it is ok,<br>
<blockquote cite="mid:5576F055.2060603@redhat.com"
type="cite">but the topology information does not get
updated. </blockquote>
what do you mean, where do you check ? in the "remaining"
topology the shared tree should be updated, for the removed
replica it will not, but this should be uninstalled anyway<br>
</blockquote>
The problem here, is that the topology information does not
get updated on master as well.<br>
</blockquote>
could you be a bit more precise. what do you still see ? the
agreement will be only removed if the segment is removed, and
this should be reoplicated to all severs in the remaining
topology - if you don't disconnect it by removing the replica.<br>
and what was the topology structure and which replica did you
remove, on which server did you remove it?<br>
</blockquote>
So, Here is the results of the `topologysegment-find` command
before replica removal:<br>
root@f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa
topologysegment-find<br>
Suffix name: realm<br>
------------------<br>
2 segments matched<br>
------------------<br>
Segment name: f22master.bagam.net-to-f22replica1.bagam.net<br>
Left node: f22master.bagam.net<br>
Right node: f22replica1.bagam.net<br>
Connectivity: both<br>
<br>
Segment name: f22master.bagam.net-to-f22replica2.bagam.net<br>
Left node: f22master.bagam.net<br>
Right node: f22replica2.bagam.net<br>
Connectivity: both<br>
----------------------------<br>
Number of entries returned 2<br>
----------------------------<br>
Then, after issuing `ipa-replica-manage-del f2replica1.bagam.net
--force` on the master, the same command on master still shows
exactly the same topology:<br>
<br>
root@f22master:/var/log/dirsrv/slapd-BAGAM-NET]$ ipa
topologysegment-find<br>
Suffix name: realm<br>
------------------<br>
2 segments matched<br>
------------------<br>
Segment name: f22master.bagam.net-to-f22replica1.bagam.net<br>
Left node: f22master.bagam.net<br>
Right node: f22replica1.bagam.net<br>
Connectivity: both<br>
<br>
Segment name: f22master.bagam.net-to-f22replica2.bagam.net<br>
Left node: f22master.bagam.net<br>
Right node: f22replica2.bagam.net<br>
Connectivity: both<br>
----------------------------<br>
Number of entries returned 2<br>
----------------------------<br>
<br>
<blockquote cite="mid:5576F5E6.2030502@redhat.com" type="cite">
<blockquote cite="mid:5576F4D8.80907@redhat.com" type="cite">
<blockquote cite="mid:5576F26C.7010802@redhat.com" type="cite">
<blockquote cite="mid:5576F055.2060603@redhat.com"
type="cite">When I then issue `ipa topologysegment-del`,
it fails due to "ipa: ERROR: Server is unwilling to
perform: Removal of Segment disconnects topology.Deletion
not allowed." <br>
</blockquote>
correct, you can only do it after removal of the server<br>
</blockquote>
I do not get it. Master still thinks it has the replica, it
displays it both in CLI using `ipa topologysegment-find` and
in the web-ui. (although it does not show it using `ipa
host-find`, which is correct), and there is no way to manually
make it change it's mind?<br>
<blockquote cite="mid:5576F26C.7010802@redhat.com" type="cite">
<blockquote cite="mid:5576F055.2060603@redhat.com"
type="cite"> <br>
I tried to disable the segment first and then delete it,
but with the segment properly disabled, the attempt to
delete it raised a GSS error: "ipa: ERROR: Kerberos error:
Kerberos error: ('Unspecified GSS failure. Minor code may
provide more information', 851968)/('KDC returned error
string: PROCESS_TGS', -1765328324)/". I am not sure, where
to search for corresponding logs. The session transcript
is attached. <br>
<br>
2. The following is probably unrelated to the topology
plugin: <br>
I installed a replica with --setup-ca option. Then, on
this replica tried to prepare another replica: <br>
-------------------------------------------------------------------------------------------------------------------------------------------------
<br>
root@f22replica2:/home/ofayans/f22]$ ipa-replica-prepare
--ip-address 192.168.122.141 f22replica3.bagam.net <br>
Directory Manager (existing master) password: <br>
<br>
Preparing replica for f22replica3.bagam.net from
f22replica2.bagam.net <br>
Creating SSL certificate for the Directory Server <br>
Certificate issuance failed <br>
-------------------------------------------------------------------------------------------------------------------------------------------------
<br>
The corresponding line in the dirsrv log: <br>
[09/Jun/2015:09:54:46 -0400] - Entry
"uid=admin,ou=people,o=ipaca" -- attribute "krbExtraData"
not allowed <br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>