<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/16/2012 06:11 PM, David Copperfield wrote:
<blockquote
cite="mid:1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><span>Hi JR, Rob and Rich,</span></div>
<div><span><br>
</span></div>
<div><span>Thanks a lot for helping! A massage may be the choice
for me now. :)</span></div>
<div><span><br>
</span></div>
<div>Though I still have two questions here. :)</div>
<div><br>
</div>
<div> 1, do you have an idea on how to clear the ghost RUVs
thoroughly in one run? For my case today it took me quite some
time to clear it again and again from across server farm -- it
looks like the affected LDAP entries are overwritten from each
other, like a basket of bumping balls.</div>
</div>
</blockquote>
<br>
Correct. See <a class="moz-txt-link-freetext" href="http://port389.org/wiki/Howto:CLEANRUV">http://port389.org/wiki/Howto:CLEANRUV</a> under the
CLEANALLRUV and RELEASERUV procedures. Mark can explain the
procedure better than I can.<br>
<br>
Note that CLEANALLRUV and RELEASERUV are not available in the
current release, but will be available in an upcoming release.<br>
<br>
<blockquote
cite="mid:1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com"
type="cite">
<div style="color: rgb(0, 0, 0); background-color: rgb(255, 255,
255); font-family: times new roman,new york,times,serif;
font-size: 12pt;">
<div><br>
</div>
<div> 2, And, does it bring troubles if I also run:</div>
<div><br>
</div>
<div> ipa-csreplica-manage del <failedIPAReplica> --force
## on IPA master</div>
<div><br>
</div>
<div>and </div>
<div><br>
</div>
<div> clear the CA ghost RUV record from under
'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config'? </div>
<div><br>
</div>
<div>I thought this above could be more complete, But the link
<a class="moz-txt-link-freetext" href="http://directory.fedoraproject.org/wiki/Howto:CLEANRUV">http://directory.fedoraproject.org/wiki/Howto:CLEANRUV</a>
documented only user LDAP backend and normal user LDAP
replica, not including this CA replication and CA ldap backend
clearance. <br>
</div>
</div>
</blockquote>
<br>
It shouldn't make a difference - to 389 a replica is a replica - it
doesn't matter if it is a user data or a CA data replica.<br>
<br>
<blockquote
cite="mid:1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:times
new roman, new york, times, serif;font-size:12pt">
<div><br>
</div>
<div>So I got confused on the purposes the document link didn't
mention this (CA). It is because clear CA RUV is wrong? or the
author just took it for granted that all users are
non-newbies, any ideas? :)</div>
<div><br>
</div>
<div>Thanks a lot for your help today.</div>
<div><br>
</div>
<div><br>
</div>
<div>--David</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><br>
</div>
<div><span>--David</span></div>
<div><span><br>
</span></div>
<div><br>
</div>
<div><br>
</div>
<div style="font-size: 12pt; font-family: 'times new roman',
'new york', times, serif; ">
<div style="font-size: 12pt; font-family: 'times new roman',
'new york', times, serif; ">
<div dir="ltr"> <font face="Arial" size="2">
<hr size="1"> <b><span style="font-weight:bold;">From:</span></b>
JR Aquino <a class="moz-txt-link-rfc2396E" href="mailto:JR.Aquino@citrix.com"><JR.Aquino@citrix.com></a><br>
<b><span style="font-weight: bold;">To:</span></b> David
Copperfield <a class="moz-txt-link-rfc2396E" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>; Rob Crittenden
<a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Wednesday, May 16, 2012 4:41 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: Still not working -- Re: [Freeipa-users] What to do
next???: IPA replica host entry is removed on web UI by
mistake<br>
</font> </div>
<br>
Whew, glad to hear you got through it!<br>
<br>
The 389 ds crew is working on making the cleanruv into an
internal automated process. I empathize completely.<br>
<br>
The gssapi errors are generally benign. They come up because
ldap starts before the kdc.<br>
<br>
"Keeping your head in the cloud"<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
Jr Aquino | Sr. Information Security Specialist<br>
GIAC Certified Incident Handler | GIAC WebApp Penetration
Tester<br>
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117<br>
<a moz-do-not-send="true"
ymailto="mailto:jr.aquino@citrix.com"
href="mailto:jr.aquino@citrix.com">jr.aquino@citrix.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:jr.aquino@citrix.com"
href="mailto:jr.aquino@citrix.com">jr.aquino@citrix.com</a>><br>
<a moz-do-not-send="true" href="http://www.citrixonline.com"
target="_blank">http://www.citrixonline.com</a><br>
<br>
On May 16, 2012, at 4:29 PM, "David Copperfield" <<a
moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a
moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>>>
wrote:<br>
<br>
Could that be because of removing ghost entries in CA
database?<br>
<br>
Another possible place could be the deleting/clearing option
itself. One annoying thing that I've found is:<br>
<br>
I cleared the RUV records from IPA servers one by one, then
I restart IPA services on the servers one by one again,
ldapsearch showed that the RUV ghost entries popped up
again. :(<br>
<br>
I had to kill it again and again across the IPA server
farms, then restart IPA servers one by one, check again,
until the ghost RUV entries disappeared from all and didn't
come back -- It is very, VERY exhausting and annoying.<br>
<br>
After that I still need to stop IPA replica first, then
restart IPA master and until now it worked -- ipa commands
and kinit worked. At last I brought up the valid replica
and it worked this time as well.<br>
<br>
Now it was time to reinstall the failed IPA replica and it
was installed and up and running well.<br>
<br>
After I tested with 'ipa user-add', 'ipa-user-delete' and
found that the replication did work across the IPA master
and IPA replicas. I tested the last time and found the
following messages in the error log file on IPA master, it
maybe harmless but I am not sure:<br>
<br>
[16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16
B2012.023.214 starting up[16/May/2012:16:18:36 -0700]
schema-compat-plugin - warning: no entries set up under
ou=SUDOers, dc=jigsaw,dc=com<br>
[16/May/2012:16:18:36 -0700] - Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS
Templates found, which should be added before the CoS
Definition.<br>
[16/May/2012:16:18:36 -0700] - Skipping CoS Definition
cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS
Templates found, which should be added before the CoS
Definition.<br>
[16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get
initial credentials for principal [ldap/<a
moz-do-not-send="true"
ymailto="mailto:ipamaster.example.com@EXAMPLE.COM"
href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a><<a class="moz-txt-link-freetext" href="mailto:ldap/">mailto:ldap/</a><a
moz-do-not-send="true"
ymailto="mailto:ipamaster.example.com@EXAMPLE.COM"
href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a>>]
in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324
(Generic error (see e-text))[16/May/2012:16:18:36 -0700] -
slapd started. Listening on All Interfaces port 389 for
LDAP requests<br>
[16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get
initial credentials for principal [ldap/<a
moz-do-not-send="true"
ymailto="mailto:ipamaster.example.com@EXAMPLE.COM"
href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a><<a class="moz-txt-link-freetext" href="mailto:ldap/">mailto:ldap/</a><a
moz-do-not-send="true"
ymailto="mailto:ipamaster.example.com@EXAMPLE.COM"
href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a>>]
in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324
(Generic error (see e-text))[16/May/2012:16:18:36 -0700] -
Listening on All Interfaces port 636 for LDAPS requests<br>
[16/May/2012:16:18:36 -0700] - Listening on
/var/run/slapd-EXAMPLE-COM.socket for LDAPI requests<br>
[16/May/2012:16:18:36 -0700]
slapd_ldap_sasl_interactive_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_496' not found))<br>
[16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: error
-2 (Local error)<br>
[16/May/2012:16:18:36 -0700] NSMMReplicationPlugin -
agmt="cn=meToipareplica02.example.com" (ipareplica02:389):
Replication bind with GSSAPI auth failed: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_496' not
found))<br>
[16/May/2012:16:18:36 -0700]
slapd_ldap_sasl_interactive_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_496' not found))<br>
[16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: error
-2 (Local error)<br>
[16/May/2012:16:18:36 -0700] NSMMReplicationPlugin -
agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
Replication bind with GSSAPI auth failed: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_496' not
found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin -
agmt="cn=meToipareplica02.example.com" (ipareplica02:389):
Replication bind with GSSAPI auth resumed<br>
[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin -
agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
Replication bind with GSSAPI auth resumed<br>
<br>
<br>
--David<br>
<br>
<br>
________________________________<br>
From: JR Aquino <<a moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>>><br>
To: David Copperfield <<a moz-do-not-send="true"
ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a
moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>>><br>
Cc: JR Aquino <<a moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>>>;
Rob Crittenden <<a moz-do-not-send="true"
ymailto="mailto:rcritten@redhat.com"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:rcritten@redhat.com"
href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>;
"<a moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>"
<<a moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><br>
Sent: Wednesday, May 16, 2012 4:00 PM<br>
Subject: Re: Still not working -- Re: [Freeipa-users] What
to do next???: IPA replica host entry is removed on web UI
by mistake<br>
<br>
Try: ipactl stop then ipactl start<br>
<br>
Doesn't look like dirsrv is running on 389 and 636<br>
<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
Jr Aquino | Sr. Information Security Specialist<br>
GIAC Certified Incident Handler | GIAC WebApp Penetration
Tester<br>
Citrix Online | 7408 Hollister Avenue | Goleta, CA
93117<x-apple-data-detectors://0/0><br>
T: +1 805.690.3478<tel:+1%C2%A0805.690.3478><br>
C: +1 805.717.0365<tel:+1%20805.717.0365><br>
<a moz-do-not-send="true"
ymailto="mailto:jr.aquino@citrixonline.com"
href="mailto:jr.aquino@citrixonline.com">jr.aquino@citrixonline.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:jr.aquino@citrixonline.com"
href="mailto:jr.aquino@citrixonline.com">jr.aquino@citrixonline.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:jr.aquino@citrixonline.com"
href="mailto:jr.aquino@citrixonline.com">jr.aquino@citrixonline.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:jr.aquino@citrixonline.com"
href="mailto:jr.aquino@citrixonline.com">jr.aquino@citrixonline.com</a>>><br>
<a moz-do-not-send="true" href="http://www.citrixonline.com"
target="_blank">http://www.citrixonline.com</a><<a
moz-do-not-send="true" href="http://www.citrixonline.com/"
target="_blank">http://www.citrixonline.com/</a>><br>
<br>
On May 16, 2012, at 2:54 PM, David Copperfield wrote:<br>
<br>
Sorry to declare success too quick, :( In fact, it is worse
now, the IPA master fail after performing the above steps
including the RUV cleaning. I've only one working replica
and I'm afraid to do anything on it.<br>
<br>
On The IPA master, after I ran 'service ipa restart' it
reported OK, but 'ipa user-find' failed. so I cleared my
Kerboers TGT ticket, ran 'kinit admin' to try my luck, the
IPA master failed with the following message, it showed
that 389 port listening disappeared for unknown reasons.<br>
<br>
[root@ipamaster slapd-EXAMPLE-COM]# kinit admin<br>
<br>
kinit: Generic error (see e-text) while getting initial
credentials<br>
[root@ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i
LISTEN | grep ns<br>
tcp 0 0 :::7389 :::*
LISTEN 6550/ns-slapd<br>
tcp 0 0 :::7390 :::*
LISTEN 6550/ns-slapd<br>
[root@ipamaster slapd-EXAMPLE-COM]#<br>
<br>
The error logs are pasted here too.<br>
<br>
[16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get
initial credentials for principal [ldap/<a
moz-do-not-send="true"
ymailto="mailto:ipamaster.example.com@EXAMPLE.COM"
href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:ipamaster.example.com@EXAMPLE.COM"
href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a>><<a class="moz-txt-link-freetext" href="mailto:ldap/">mailto:ldap/</a><a
moz-do-not-send="true"
ymailto="mailto:ipamaster.example.com@EXAMPLE.COM"
href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:ipamaster.example.com@EXAMPLE.COM"
href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a>>>]
in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228
(Cannot contact any KDC for requested realm)<br>
[16/May/2012:14:41:43 -0700] - slapd started. Listening on
All Interfaces port 389 for LDAP requests<br>
[16/May/2012:14:41:43 -0700] - Listening on All Interfaces
port 636 for LDAPS requests<br>
[16/May/2012:14:41:43 -0700] - Listening on
/var/run/slapd-EXAMPLE-COM.socket for LDAPI requests<br>
[16/May/2012:14:41:43 -0700]
slapd_ldap_sasl_interactive_bind - Error: could not perform
interactive bind for id [] mech [GSSAPI]: error -2 (Local
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_496' not found))<br>
[16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could
not perform interactive bind for id [] mech [GSSAPI]: error
-2 (Local error)<br>
[16/May/2012:14:41:43 -0700] NSMMReplicationPlugin -
agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
Replication bind with GSSAPI auth failed: LDAP error -2
(Local error) (SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more
information (Credentials cache file '/tmp/krb5cc_496' not
found))<br>
[16/May/2012:14:41:46 -0700] NSMMReplicationPlugin -
agmt="cn=meToipareplica01.example.com" (ipareplica01:389):
Replication bind with GSSAPI auth resumed<br>
<br>
Thanks.<br>
<br>
--David<br>
<br>
________________________________<br>
From: David Copperfield <<a moz-do-not-send="true"
ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a
moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>><mailto:<a
moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a
moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>>>><br>
To: JR Aquino <<a moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>>>><br>
Cc: "<a moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>"
<<a moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>><br>
Sent: Wednesday, May 16, 2012 1:23 PM<br>
Subject: Re: [Freeipa-users] What to do next???: IPA replica
host entry is removed on web UI by mistake<br>
<br>
Hi JR,<br>
<br>
Thanks a lot! It works perfectly.<br>
<br>
The only extra thing probably goes with 2.1.3 only: I need
to find and clear ghost RUV records for CA database, and
remove it from master and all other live replicas as well.<br>
<br>
BTW, on 2.2.0 the two database backends still are separate,
or merged into one?<br>
<br>
Thanks.<br>
<br>
--David<br>
<br>
________________________________<br>
From: JR Aquino <<a moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:JR.Aquino@citrix.com"
href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>>>><br>
To: David Copperfield <<a moz-do-not-send="true"
ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a
moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>><mailto:<a
moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a
moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com"
href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>>>><br>
Cc: FreeIPAUsers <<a moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>><br>
Sent: Wednesday, May 16, 2012 12:57 PM<br>
Subject: Re: [Freeipa-users] What to do next???: IPA replica
host entry is removed on web UI by mistake<br>
<br>
On May 16, 2012, at 12:23 PM, David Copperfield wrote:<br>
<br>
> Hi all,<br>
><br>
> I accidentally removed one of my IPA replica host on
IPA web UI by mistake, on the host list I planed to remove
ipaclient02.example.com<<a moz-do-not-send="true"
href="http://ipaclient02.example.com" target="_blank">http://ipaclient02.example.com</a>><<a
moz-do-not-send="true"
href="http://ipaclient02.example.com/" target="_blank">http://ipaclient02.example.com/</a>>,
but accidentally the mouse moved to
ipareplica02.example.com<<a moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a
moz-do-not-send="true"
href="http://ipareplica02.example.com/" target="_blank">http://ipareplica02.example.com/</a>>
and the latter got removed without a prompt.<br>
><br>
> I realized the mistake and tried to recover from this
disaster but it was already too late, the change propagated
to all the replicas and the poor ipareplica02 now stops
functioning.<br>
><br>
> [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find<br>
> ipa: ERROR: cannot connect to u'<a
moz-do-not-send="true"
href="https://ipareplica02.qe9.jigsaw.com/ipa/xml%27"
target="_blank">https://ipareplica02.qe9.jigsaw.com/ipa/xml'</a>:
Internal Server Error<br>
> [root@ipareplica02 slapd-EXAMPLE-COM]# ipa user-find<br>
> ipa: ERROR: cannot connect to u'<a
moz-do-not-send="true"
href="https://ipareplica02.qe9.jigsaw.com/ipa/xml%27"
target="_blank">https://ipareplica02.qe9.jigsaw.com/ipa/xml'</a>:
Internal Server Error<br>
> [root@ipareplica02 slapd-EXAMPLE-COM]# ipa host-find<br>
> ipa: ERROR: cannot connect to u'<a
moz-do-not-send="true"
href="https://ipareplica02.qe9.jigsaw.com/ipa/xml%27"
target="_blank">https://ipareplica02.qe9.jigsaw.com/ipa/xml'</a>:
Internal Server Error<br>
> [root@ipareplica02 slapd-EXAMPLE-COM]#<br>
><br>
> On the IPA master, It was found that ipareplica02
didn't show up in 'host-find' list or 'service-find' list.
Though it still showed in the master list reported by
'ipa-replica-manage' and 'ipa-csreplica-manage', the real
command 'ipa-replica-manage list ipareplica02' fails with
LDAP could't reach error.<br>
><br>
> What should I do now? Is there are any other ways to
recover besides uninstall and reinstall of IPA replica
ipareplica02?<br>
><br>
> BTW, it will be more than appreciated if the web UI
could pop up a warning prompt when removing host/services
entries associated with IPA masters and IPA replicas.<br>
<br>
Been there... Done that... The bug is fixed in 2.2... It
will prompt and prevent you from deleting a replica host if
there is an agreement.<br>
<br>
To clean up...<br>
<br>
0. On the master replica: ipa-replica-manage del
ipareplica02.example.com<<a moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a
moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>>
--force<br>
-This will delete the replica agreement for the host.<br>
<br>
1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b
dc=example,dc=com \<br>
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'<br>
<br>
Look for your your nsds50ruv that matches your ghost
replica.<br>
<br>
2. Create an ldif following the directions here: <a
moz-do-not-send="true"
href="http://directory.fedoraproject.org/wiki/Howto:CLEANRUV"
target="_blank">http://directory.fedoraproject.org/wiki/Howto:CLEANRUV</a><br>
Something like:<br>
<br>
$ cat cleanup.ldif<br>
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping
tree,cn=config<br>
changetype: modify<br>
replace: nsds5task<br>
nsds5task: CLEANRUV## <- ## == The ReplicaID number for
the ghost replica.<br>
<br>
3. Run on all of the remaining replicas: ldapmodify -x -D
"cn=directory manager" -W -f fixed.ldif<br>
- This removes the ghost entry.<br>
<br>
4. on the broken replica: ipa-server-install --uninstall<br>
<br>
5. Follow the normal directions for 'installing a replica'<br>
- on master: ipa-replica-prepare
ipareplica02.example.com<<a moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a
moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><br>
- scp /path/to/ipareplica02.example.com.gpg
ipareplica02.example.com<<a moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a
moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>>:
ipareplica02.example.com<<a moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a
moz-do-not-send="true"
href="http://ipareplica02.example.com.gp/" target="_blank">http://ipareplica02.example.com.gp/</a>>.gpg<br>
- on replica: ipa-replica-install
ipareplica02.example.com<<a moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a
moz-do-not-send="true"
href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>>
--whatever_options_you_used_previously<br>
<br>
6. Check to make sure the server was built correctly and
command work as expected: kinit admin, ipa user-find, ipa
host-find, id admin, etc etc<br>
<br>
7. Sigh and drink coffee<br>
<br>
> Thanks.<br>
><br>
> --David<br>
> From: Rich Megginson <<a moz-do-not-send="true"
ymailto="mailto:rmeggins@redhat.com"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:rmeggins@redhat.com"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:rmeggins@redhat.com"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:rmeggins@redhat.com"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>><br>
> To: Ben Ho <<a moz-do-not-send="true"
ymailto="mailto:ben13ho@hotmail.com"
href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:ben13ho@hotmail.com"
href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:ben13ho@hotmail.com"
href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:ben13ho@hotmail.com"
href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a>>>><br>
> Cc: <a moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><br>
> Sent: Tuesday, May 15, 2012 5:33 PM<br>
> Subject: Re: [Freeipa-users] Help with
ipa-replica-manage<br>
><br>
> On 05/15/2012 02:49 PM, Ben Ho wrote:<br>
>> This is the information I retrieved about my
server.<br>
>><br>
>> ipa-server-selinux-2.1.3-9.el6.x86_64<br>
>> ipa-client-2.1.3-9.el6.x86_64<br>
>> ipa-server-2.1.3-9.el6.x86_64<br>
>> CentOS release 6.2<br>
>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64<br>
>><br>
>> Thanks again.<br>
><br>
> Is replication otherwise working?<br>
><br>
>><br>
>> -Ben<br>
>><br>
>> Date: Tue, 15 May 2012 13:15:46 -0600<br>
>> From: <a moz-do-not-send="true"
ymailto="mailto:rmeggins@redhat.com"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:rmeggins@redhat.com"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:rmeggins@redhat.com"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:rmeggins@redhat.com"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>><br>
>> To: <a moz-do-not-send="true"
ymailto="mailto:ben13ho@hotmail.com"
href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:ben13ho@hotmail.com"
href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:ben13ho@hotmail.com"
href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:ben13ho@hotmail.com"
href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a>>><br>
>> CC: <a moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:freeipa-users@redhat.com"
href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><br>
>> Subject: Re: [Freeipa-users] Help with
ipa-replica-manage<br>
>><br>
>> On 05/15/2012 01:00 PM, Ben Ho wrote:<br>
>> Hello,<br>
>> I am pretty new to IPA. Right now I have three
servers that are running IPA. I am trying to replicate one
server to two other servers. I use this command:<br>
>><br>
>> ipa-replica-manage re-initialize --from
example2.edu<<a moz-do-not-send="true"
href="http://example2.edu" target="_blank">http://example2.edu</a>><<a
moz-do-not-send="true" href="http://example2.edu"
target="_blank">http://example2.edu</a>><br>
>><br>
>> On the first server I need to replicate, it works
fine. However, on the second server I get this message in
my log files. The errors get printed out once every 1 to 5
minutes.<br>
>><br>
>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin
- agmt="cn=meToexample1.edu" (example1:389): Schema
replication update failed: Type or value exists<br>
>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin
- agmt="cn=meToexample1.edu" (example1:389): Warning: unable
to replicate schema: rc=1<br>
>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin
- agmt="cn=meToexample2.edu" (example2:389): Schema
replication update failed: Type or value exists<br>
>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin
- agmt="cn=meToexample2.edu" (example2:389): Warning: unable
to replicate schema: rc=1<br>
>><br>
>><br>
>> Again, I am pretty new to this, so any help or
tips would be appreciated.<br>
>><br>
>> What platform and what version of 389-ds-base and
ipa-server for all of your servers?<br>
>><br>
>><br>
>> Thanks!<br>
>><br>
>> -Ben<br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Freeipa-users mailing list<br>
>><br>
>> <a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>
>> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a
moz-do-not-send="true"
ymailto="mailto:Freeipa-users@redhat.com"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>