<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 05/16/2012 06:11 PM, David Copperfield wrote: <blockquote cite="mid:1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com" type="cite"> <div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: times new roman,new york,times,serif; font-size: 12pt;"> <div><span>Hi JR, Rob and Rich,</span></div> <div><span><br> </span></div> <div><span>Thanks a lot for helping! A massage may be the choice for me now. :)</span></div> <div><span><br> </span></div> <div>Though I still have two questions here. :)</div> <div><br> </div> <div> 1, do you have an idea on how to clear the ghost RUVs thoroughly in one run? For my case today it took me quite some time to clear it again and again from across server farm -- it looks like the affected LDAP entries are overwritten from each other, like a basket of bumping balls.</div> </div> </blockquote> <br> Correct. See <a class="moz-txt-link-freetext" href="http://port389.org/wiki/Howto:CLEANRUV">http://port389.org/wiki/Howto:CLEANRUV</a> under the CLEANALLRUV and RELEASERUV procedures. Mark can explain the procedure better than I can.<br> <br> Note that CLEANALLRUV and RELEASERUV are not available in the current release, but will be available in an upcoming release.<br> <br> <blockquote cite="mid:1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com" type="cite"> <div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: times new roman,new york,times,serif; font-size: 12pt;"> <div><br> </div> <div> 2, And, does it bring troubles if I also run:</div> <div><br> </div> <div> ipa-csreplica-manage del <failedIPAReplica> --force ## on IPA master</div> <div><br> </div> <div>and </div> <div><br> </div> <div> clear the CA ghost RUV record from under 'cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config'? </div> <div><br> </div> <div>I thought this above could be more complete, But the link <a class="moz-txt-link-freetext" href="http://directory.fedoraproject.org/wiki/Howto:CLEANRUV">http://directory.fedoraproject.org/wiki/Howto:CLEANRUV</a> documented only user LDAP backend and normal user LDAP replica, not including this CA replication and CA ldap backend clearance. <br> </div> </div> </blockquote> <br> It shouldn't make a difference - to 389 a replica is a replica - it doesn't matter if it is a user data or a CA data replica.<br> <br> <blockquote cite="mid:1337213480.1977.YahooMailNeo@web125705.mail.ne1.yahoo.com" type="cite"> <div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"> <div><br> </div> <div>So I got confused on the purposes the document link didn't mention this (CA). It is because clear CA RUV is wrong? or the author just took it for granted that all users are non-newbies, any ideas? :)</div> <div><br> </div> <div>Thanks a lot for your help today.</div> <div><br> </div> <div><br> </div> <div>--David</div> <div><br> </div> <div><br> </div> <div><br> </div> <div> </div> <div><br> </div> <div><span>--David</span></div> <div><span><br> </span></div> <div><br> </div> <div><br> </div> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <div dir="ltr"> <font face="Arial" size="2"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> JR Aquino <a class="moz-txt-link-rfc2396E" href="mailto:JR.Aquino@citrix.com"><JR.Aquino@citrix.com></a><br> <b><span style="font-weight: bold;">To:</span></b> David Copperfield <a class="moz-txt-link-rfc2396E" href="mailto:cao2dan@yahoo.com"><cao2dan@yahoo.com></a> <br> <b><span style="font-weight: bold;">Cc:</span></b> <a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com">"freeipa-users@redhat.com"</a> <a class="moz-txt-link-rfc2396E" href="mailto:freeipa-users@redhat.com"><freeipa-users@redhat.com></a>; Rob Crittenden <a class="moz-txt-link-rfc2396E" href="mailto:rcritten@redhat.com"><rcritten@redhat.com></a> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, May 16, 2012 4:41 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake<br> </font> </div> <br> Whew, glad to hear you got through it!<br> <br> The 389 ds crew is working on making the cleanruv into an internal automated process. I empathize completely.<br> <br> The gssapi errors are generally benign. They come up because ldap starts before the kdc.<br> <br> "Keeping your head in the cloud"<br> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br> Jr Aquino | Sr. Information Security Specialist<br> GIAC Certified Incident Handler | GIAC WebApp Penetration Tester<br> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117<br> <a moz-do-not-send="true" ymailto="mailto:jr.aquino@citrix.com" href="mailto:jr.aquino@citrix.com">jr.aquino@citrix.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:jr.aquino@citrix.com" href="mailto:jr.aquino@citrix.com">jr.aquino@citrix.com</a>><br> <a moz-do-not-send="true" href="http://www.citrixonline.com" target="_blank">http://www.citrixonline.com</a><br> <br> On May 16, 2012, at 4:29 PM, "David Copperfield" <<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>>> wrote:<br> <br> Could that be because of removing ghost entries in CA database?<br> <br> Another possible place could be the deleting/clearing option itself. One annoying thing that I've found is:<br> <br> I cleared the RUV records from IPA servers one by one, then I restart IPA services on the servers one by one again, ldapsearch showed that the RUV ghost entries popped up again. :(<br> <br> I had to kill it again and again across the IPA server farms, then restart IPA servers one by one, check again, until the ghost RUV entries disappeared from all and didn't come back -- It is very, VERY exhausting and annoying.<br> <br> After that I still need to stop IPA replica first, then restart IPA master and until now it worked -- ipa commands and kinit worked. At last I brought up the valid replica and it worked this time as well.<br> <br> Now it was time to reinstall the failed IPA replica and it was installed and up and running well.<br> <br> After I tested with 'ipa user-add', 'ipa-user-delete' and found that the replication did work across the IPA master and IPA replicas. I tested the last time and found the following messages in the error log file on IPA master, it maybe harmless but I am not sure:<br> <br> [16/May/2012:16:18:36 -0700] - 389-Directory/1.2.9.16 B2012.023.214 starting up[16/May/2012:16:18:36 -0700] schema-compat-plugin - warning: no entries set up under ou=SUDOers, dc=jigsaw,dc=com<br> [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition.<br> [16/May/2012:16:18:36 -0700] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=jigsaw,dc=com--no CoS Templates found, which should be added before the CoS Definition.<br> [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/<a moz-do-not-send="true" ymailto="mailto:ipamaster.example.com@EXAMPLE.COM" href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a><<a class="moz-txt-link-freetext" href="mailto:ldap/">mailto:ldap/</a><a moz-do-not-send="true" ymailto="mailto:ipamaster.example.com@EXAMPLE.COM" href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a>>] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests<br> [16/May/2012:16:18:36 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/<a moz-do-not-send="true" ymailto="mailto:ipamaster.example.com@EXAMPLE.COM" href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a><<a class="moz-txt-link-freetext" href="mailto:ldap/">mailto:ldap/</a><a moz-do-not-send="true" ymailto="mailto:ipamaster.example.com@EXAMPLE.COM" href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a>>] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))[16/May/2012:16:18:36 -0700] - Listening on All Interfaces port 636 for LDAPS requests<br> [16/May/2012:16:18:36 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests<br> [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))<br> [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)<br> [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))<br> [16/May/2012:16:18:36 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))<br> [16/May/2012:16:18:36 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)<br> [16/May/2012:16:18:36 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))[16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica02.example.com" (ipareplica02:389): Replication bind with GSSAPI auth resumed<br> [16/May/2012:16:18:39 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed<br> <br> <br> --David<br> <br> <br> ________________________________<br> From: JR Aquino <<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>>><br> To: David Copperfield <<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>>><br> Cc: JR Aquino <<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>>>; Rob Crittenden <<a moz-do-not-send="true" ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:rcritten@redhat.com" href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>; "<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>" <<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><br> Sent: Wednesday, May 16, 2012 4:00 PM<br> Subject: Re: Still not working -- Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake<br> <br> Try: ipactl stop then ipactl start<br> <br> Doesn't look like dirsrv is running on 389 and 636<br> <br> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br> Jr Aquino | Sr. Information Security Specialist<br> GIAC Certified Incident Handler | GIAC WebApp Penetration Tester<br> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117<x-apple-data-detectors://0/0><br> T: +1 805.690.3478<tel:+1%C2%A0805.690.3478><br> C: +1 805.717.0365<tel:+1%20805.717.0365><br> <a moz-do-not-send="true" ymailto="mailto:jr.aquino@citrixonline.com" href="mailto:jr.aquino@citrixonline.com">jr.aquino@citrixonline.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:jr.aquino@citrixonline.com" href="mailto:jr.aquino@citrixonline.com">jr.aquino@citrixonline.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:jr.aquino@citrixonline.com" href="mailto:jr.aquino@citrixonline.com">jr.aquino@citrixonline.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:jr.aquino@citrixonline.com" href="mailto:jr.aquino@citrixonline.com">jr.aquino@citrixonline.com</a>>><br> <a moz-do-not-send="true" href="http://www.citrixonline.com" target="_blank">http://www.citrixonline.com</a><<a moz-do-not-send="true" href="http://www.citrixonline.com/" target="_blank">http://www.citrixonline.com/</a>><br> <br> On May 16, 2012, at 2:54 PM, David Copperfield wrote:<br> <br> Sorry to declare success too quick, :( In fact, it is worse now, the IPA master fail after performing the above steps including the RUV cleaning. I've only one working replica and I'm afraid to do anything on it.<br> <br> On The IPA master, after I ran 'service ipa restart' it reported OK, but 'ipa user-find' failed. so I cleared my Kerboers TGT ticket, ran 'kinit admin' to try my luck, the IPA master failed with the following message, it showed that 389 port listening disappeared for unknown reasons.<br> <br> [root@ipamaster slapd-EXAMPLE-COM]# kinit admin<br> <br> kinit: Generic error (see e-text) while getting initial credentials<br> [root@ipamaster slapd-EXAMPLE-COM]# netstat -antup | grep -i LISTEN | grep ns<br> tcp 0 0 :::7389 :::* LISTEN 6550/ns-slapd<br> tcp 0 0 :::7390 :::* LISTEN 6550/ns-slapd<br> [root@ipamaster slapd-EXAMPLE-COM]#<br> <br> The error logs are pasted here too.<br> <br> [16/May/2012:14:41:43 -0700] set_krb5_creds - Could not get initial credentials for principal [ldap/<a moz-do-not-send="true" ymailto="mailto:ipamaster.example.com@EXAMPLE.COM" href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a><mailto:<a moz-do-not-send="true" ymailto="mailto:ipamaster.example.com@EXAMPLE.COM" href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a>><<a class="moz-txt-link-freetext" href="mailto:ldap/">mailto:ldap/</a><a moz-do-not-send="true" ymailto="mailto:ipamaster.example.com@EXAMPLE.COM" href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a><mailto:<a moz-do-not-send="true" ymailto="mailto:ipamaster.example.com@EXAMPLE.COM" href="mailto:ipamaster.example.com@EXAMPLE.COM">ipamaster.example.com@EXAMPLE.COM</a>>>] in keytab [WRFILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm)<br> [16/May/2012:14:41:43 -0700] - slapd started. Listening on All Interfaces port 389 for LDAP requests<br> [16/May/2012:14:41:43 -0700] - Listening on All Interfaces port 636 for LDAPS requests<br> [16/May/2012:14:41:43 -0700] - Listening on /var/run/slapd-EXAMPLE-COM.socket for LDAPI requests<br> [16/May/2012:14:41:43 -0700] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))<br> [16/May/2012:14:41:43 -0700] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)<br> [16/May/2012:14:41:43 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_496' not found))<br> [16/May/2012:14:41:46 -0700] NSMMReplicationPlugin - agmt="cn=meToipareplica01.example.com" (ipareplica01:389): Replication bind with GSSAPI auth resumed<br> <br> Thanks.<br> <br> --David<br> <br> ________________________________<br> From: David Copperfield <<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>>>><br> To: JR Aquino <<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>>>><br> Cc: "<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>" <<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>><br> Sent: Wednesday, May 16, 2012 1:23 PM<br> Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake<br> <br> Hi JR,<br> <br> Thanks a lot! It works perfectly.<br> <br> The only extra thing probably goes with 2.1.3 only: I need to find and clear ghost RUV records for CA database, and remove it from master and all other live replicas as well.<br> <br> BTW, on 2.2.0 the two database backends still are separate, or merged into one?<br> <br> Thanks.<br> <br> --David<br> <br> ________________________________<br> From: JR Aquino <<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:JR.Aquino@citrix.com" href="mailto:JR.Aquino@citrix.com">JR.Aquino@citrix.com</a>>>><br> To: David Copperfield <<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:cao2dan@yahoo.com" href="mailto:cao2dan@yahoo.com">cao2dan@yahoo.com</a>>>><br> Cc: FreeIPAUsers <<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>>><br> Sent: Wednesday, May 16, 2012 12:57 PM<br> Subject: Re: [Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake<br> <br> On May 16, 2012, at 12:23 PM, David Copperfield wrote:<br> <br> > Hi all,<br> ><br> > I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com<<a moz-do-not-send="true" href="http://ipaclient02.example.com" target="_blank">http://ipaclient02.example.com</a>><<a moz-do-not-send="true" href="http://ipaclient02.example.com/" target="_blank">http://ipaclient02.example.com/</a>>, but accidentally the mouse moved to ipareplica02.example.com<<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a moz-do-not-send="true" href="http://ipareplica02.example.com/" target="_blank">http://ipareplica02.example.com/</a>> and the latter got removed without a prompt.<br> ><br> > I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning.<br> ><br> > [root@ipareplica02 slapd-EXAMPLE-COM]# ipa service-find<br> > ipa: ERROR: cannot connect to u'<a moz-do-not-send="true" href="https://ipareplica02.qe9.jigsaw.com/ipa/xml%27" target="_blank">https://ipareplica02.qe9.jigsaw.com/ipa/xml'</a>: Internal Server Error<br> > [root@ipareplica02 slapd-EXAMPLE-COM]# ipa user-find<br> > ipa: ERROR: cannot connect to u'<a moz-do-not-send="true" href="https://ipareplica02.qe9.jigsaw.com/ipa/xml%27" target="_blank">https://ipareplica02.qe9.jigsaw.com/ipa/xml'</a>: Internal Server Error<br> > [root@ipareplica02 slapd-EXAMPLE-COM]# ipa host-find<br> > ipa: ERROR: cannot connect to u'<a moz-do-not-send="true" href="https://ipareplica02.qe9.jigsaw.com/ipa/xml%27" target="_blank">https://ipareplica02.qe9.jigsaw.com/ipa/xml'</a>: Internal Server Error<br> > [root@ipareplica02 slapd-EXAMPLE-COM]#<br> ><br> > On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error.<br> ><br> > What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02?<br> ><br> > BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas.<br> <br> Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement.<br> <br> To clean up...<br> <br> 0. On the master replica: ipa-replica-manage del ipareplica02.example.com<<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>> --force<br> -This will delete the replica agreement for the host.<br> <br> 1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \<br> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'<br> <br> Look for your your nsds50ruv that matches your ghost replica.<br> <br> 2. Create an ldif following the directions here: <a moz-do-not-send="true" href="http://directory.fedoraproject.org/wiki/Howto:CLEANRUV" target="_blank">http://directory.fedoraproject.org/wiki/Howto:CLEANRUV</a><br> Something like:<br> <br> $ cat cleanup.ldif<br> dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config<br> changetype: modify<br> replace: nsds5task<br> nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica.<br> <br> 3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory manager" -W -f fixed.ldif<br> - This removes the ghost entry.<br> <br> 4. on the broken replica: ipa-server-install --uninstall<br> <br> 5. Follow the normal directions for 'installing a replica'<br> - on master: ipa-replica-prepare ipareplica02.example.com<<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><br> - scp /path/to/ipareplica02.example.com.gpg ipareplica02.example.com<<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>>: ipareplica02.example.com<<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a moz-do-not-send="true" href="http://ipareplica02.example.com.gp/" target="_blank">http://ipareplica02.example.com.gp/</a>>.gpg<br> - on replica: ipa-replica-install ipareplica02.example.com<<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>><<a moz-do-not-send="true" href="http://ipareplica02.example.com" target="_blank">http://ipareplica02.example.com</a>> --whatever_options_you_used_previously<br> <br> 6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc<br> <br> 7. Sigh and drink coffee<br> <br> > Thanks.<br> ><br> > --David<br> > From: Rich Megginson <<a moz-do-not-send="true" ymailto="mailto:rmeggins@redhat.com" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:rmeggins@redhat.com" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:rmeggins@redhat.com" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:rmeggins@redhat.com" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>>><br> > To: Ben Ho <<a moz-do-not-send="true" ymailto="mailto:ben13ho@hotmail.com" href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:ben13ho@hotmail.com" href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:ben13ho@hotmail.com" href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:ben13ho@hotmail.com" href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a>>>><br> > Cc: <a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><br> > Sent: Tuesday, May 15, 2012 5:33 PM<br> > Subject: Re: [Freeipa-users] Help with ipa-replica-manage<br> ><br> > On 05/15/2012 02:49 PM, Ben Ho wrote:<br> >> This is the information I retrieved about my server.<br> >><br> >> ipa-server-selinux-2.1.3-9.el6.x86_64<br> >> ipa-client-2.1.3-9.el6.x86_64<br> >> ipa-server-2.1.3-9.el6.x86_64<br> >> CentOS release 6.2<br> >> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64<br> >><br> >> Thanks again.<br> ><br> > Is replication otherwise working?<br> ><br> >><br> >> -Ben<br> >><br> >> Date: Tue, 15 May 2012 13:15:46 -0600<br> >> From: <a moz-do-not-send="true" ymailto="mailto:rmeggins@redhat.com" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:rmeggins@redhat.com" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:rmeggins@redhat.com" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:rmeggins@redhat.com" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>>><br> >> To: <a moz-do-not-send="true" ymailto="mailto:ben13ho@hotmail.com" href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:ben13ho@hotmail.com" href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:ben13ho@hotmail.com" href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:ben13ho@hotmail.com" href="mailto:ben13ho@hotmail.com">ben13ho@hotmail.com</a>>><br> >> CC: <a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:freeipa-users@redhat.com" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a>>><br> >> Subject: Re: [Freeipa-users] Help with ipa-replica-manage<br> >><br> >> On 05/15/2012 01:00 PM, Ben Ho wrote:<br> >> Hello,<br> >> I am pretty new to IPA. Right now I have three servers that are running IPA. I am trying to replicate one server to two other servers. I use this command:<br> >><br> >> ipa-replica-manage re-initialize --from example2.edu<<a moz-do-not-send="true" href="http://example2.edu" target="_blank">http://example2.edu</a>><<a moz-do-not-send="true" href="http://example2.edu" target="_blank">http://example2.edu</a>><br> >><br> >> On the first server I need to replicate, it works fine. However, on the second server I get this message in my log files. The errors get printed out once every 1 to 5 minutes.<br> >><br> >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists<br> >> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1<br> >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists<br> >> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1<br> >><br> >><br> >> Again, I am pretty new to this, so any help or tips would be appreciated.<br> >><br> >> What platform and what version of 389-ds-base and ipa-server for all of your servers?<br> >><br> >><br> >> Thanks!<br> >><br> >> -Ben<br> >><br> >><br> >><br> >> _______________________________________________<br> >> Freeipa-users mailing list<br> >><br> >> <a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br> >> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> >><br> ><br> ><br> > _______________________________________________<br> > Freeipa-users mailing list<br> > <a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br> > <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> ><br> > _______________________________________________<br> > Freeipa-users mailing list<br> > <a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br> > <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> <br> <br> <br> <br> _______________________________________________<br> Freeipa-users mailing list<br> <a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><mailto:<a moz-do-not-send="true" ymailto="mailto:Freeipa-users@redhat.com" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>>><br> <a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> <br> <br> <br> <br> <br> <br> </div> </div> </div> </blockquote> <br> </body> </html>