<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 04/07/2016 07:23 AM, Prashant Bapat
wrote:<br>
</div>
<blockquote
cite="mid:CAN9aUrgtzJ1xoMm=nH_gBMXDLoqRaVDJ7rArcseRMYGLgOBmPA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif">What I have done now was to add a new server,
ipa02 and configured replication again and things are fine. </div>
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif">However on IPA1 the 389 ds error logs have
reference to the dead ipa2 replica.</div>
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif"><br>
</div>
<div class="gmail_default">
<div class="gmail_default"><font face="monospace, monospace">[07/Apr/2016:04:13:11
+0000] NSMMReplicationPlugin - agmt="cn=<a
moz-do-not-send="true"
href="http://meToipa2.example.net">meToipa2.example.net</a>"
(ipa2:389): Replication bind with GSSAPI auth failed: LDAP
error -1 (Can't contact LDAP server) ()</font></div>
<div class="gmail_default"><font face="monospace, monospace">[07/Apr/2016:04:13:11
+0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid
6): Failed to connect to replica(agmt="cn=<a
moz-do-not-send="true"
href="http://meToipa2.example.net">meToipa2.example.net</a>"
(ipa2:389)).</font></div>
<div class="gmail_default"><font face="monospace, monospace">[07/Apr/2016:04:13:11
+0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid
6): Retrying in 14400 seconds</font></div>
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif"><br>
</div>
<div class="gmail_default"><font face="trebuchet ms,
sans-serif">It will never be able to connect to ipa2 as
its gone permanently. Also the </font><span
style="font-family:'trebuchet
ms',sans-serif;font-size:12.8px"> </span><span
style="font-size:12.8px"><font face="monospace, monospace">ipa-replica-manage
list `hostname`</font><font face="trebuchet ms,
sans-serif"> command still shows the ipa2 as replica. </font></span></div>
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif"><span style="font-size:12.8px"><br>
</span></div>
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif"><span style="font-size:12.8px">How to remove
this permanently ???</span></div>
</div>
</div>
</blockquote>
I don't know why you did get into this state, ipa-replica-manage del
should have removed the agreement. You can do it by directly
deleting it in DS:<br>
- get the full dn of the agreement<br>
ldapsearch ..... -D "cn=directory manager" -w .... -b cn=config <font
face="monospace, monospace">"cn=<a moz-do-not-send="true"
href="http://meToipa2.example.net">meToipa2.example.net" dn</a><br>
it should return an entry with<br>
dn: <agreement dn><br>
<br>
the do a delete<br>
<br>
ldapmodify </font>..... -D "cn=directory manager" -w ....<br>
<font face="monospace, monospace">dn: <agreement dn><br>
changetype: delete<br>
<br>
</font>
<blockquote
cite="mid:CAN9aUrgtzJ1xoMm=nH_gBMXDLoqRaVDJ7rArcseRMYGLgOBmPA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default">
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif"><span style="font-size:12.8px"><br>
</span></div>
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif"><span style="font-size:12.8px">Thanks.</span></div>
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif"><span style="font-size:12.8px">--Prashant</span></div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 6 April 2016 at 22:17, Prashant
Bapat <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:prashant@apigee.com" target="_blank">prashant@apigee.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif">
<div class="gmail_default"># ipa-replica-manage list
`hostname`</div>
<div class="gmail_default"><a moz-do-not-send="true"
href="http://ipa2.example.net" target="_blank">ipa2.example.net</a>:
replica</div>
<div class="gmail_default"><a moz-do-not-send="true"
href="http://ipa3.example.net" target="_blank">ipa3.example.net</a>:
replica</div>
<div class="gmail_default"><a moz-do-not-send="true"
href="http://ipa4.example.net" target="_blank">ipa4.example.net</a>:
replica</div>
<div class="gmail_default"><br>
</div>
<div class="gmail_default"><a moz-do-not-send="true"
href="http://ipa2.example.net" target="_blank">ipa2.example.net</a>
should not be there. How do I remove it?</div>
</div>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On 6 April 2016 at 18:55, Rob
Crittenden <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Prashant
Bapat wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span>
Hi,<br>
<br>
We had 4 IPA servers in master master mode
with all of them connected to<br>
each other.<br>
<br>
IPA1 <----> IPA2 (colo 1)<br>
IPA3 <----> IPA4 (colo 2)<br>
<br>
One of the replica servers (IPA2) had to be
rebuild.<br>
<br>
So I went ahead and used below commands.<br>
<br>
ipa-replica-manage disconnect IPA2 IPA3<br>
ipa-replica-manage disconnection IPA2 IPA4<br>
ipa-replica-manage del IPA2 (to remove it on
IPA1).<br>
<br>
</span>
An then ran ipa-server-install --uninstallon
IPA2.<span><br>
<br>
Created the replica info file using
ipa-replica-prepare IPA2.<br>
<br>
When I tried to run ipa-replica-install on
IPA2, it says<br>
<br>
A replication agreement for this host already
exists. It needs to be<br>
removed.<br>
Run this on the master that generated the info
file:<br>
</span>
% ipa-replica-manage del <a
moz-do-not-send="true"
href="http://ipa2.example.net"
rel="noreferrer" target="_blank">ipa2.example.net</a>
<<a moz-do-not-send="true"
href="http://ipa2.example.net"
rel="noreferrer" target="_blank">http://ipa2.example.net</a>><span><br>
--force<br>
<br>
Now on IPA1, no matter what I do it still has
references to IPA2.<br>
<br>
So far I have tried the following.<br>
<br>
</span>
1. ipa-replica-manage del --force IPA2<br>
2. ipa-replica-manage del --force --cleanruv
IPA2<br>
3. /usr/sbin/<a moz-do-not-send="true"
href="http://cleanallruv.pl" rel="noreferrer"
target="_blank">cleanallruv.pl</a> <<a
moz-do-not-send="true"
href="http://cleanallruv.pl" rel="noreferrer"
target="_blank">http://cleanallruv.pl</a>>
-D "cn=directory<span><br>
manager" -w - -b "dc=example,dc=net" -r 6<br>
<br>
<br>
Got the rid = 6 by running<br>
ldapsearch -Y GSSAPI -b "dc=example,dc=net"<br>
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'<br>
nsds50ruv<br>
<br>
In the directory server logs, I guess its
still trying to connect to<br>
IPA2 and failing. Below are some lines.<br>
<br>
[06/Apr/2016:10:18:09 +0000]
NSMMReplicationPlugin -<br>
</span>
agmt="cn=<a moz-do-not-send="true"
href="http://meToipa2.example.net"
rel="noreferrer" target="_blank">meToipa2.example.net</a>
<<a moz-do-not-send="true"
href="http://meToipa2.example.net"
rel="noreferrer" target="_blank">http://meToipa2.example.net</a>>"
(ipa2:389):<span><br>
Replication bind with GSSAPI auth failed: LDAP
error -1 (Can't contact<br>
LDAP server) ()<br>
[06/Apr/2016:10:18:09 +0000]
NSMMReplicationPlugin - CleanAllRUV Task<br>
(rid 6): Replica not online (agmt="cn=<a
moz-do-not-send="true"
href="http://meToipa2.example.net"
rel="noreferrer" target="_blank">meToipa2.example.net</a><br>
</span>
<<a moz-do-not-send="true"
href="http://meToipa2.example.net"
rel="noreferrer" target="_blank">http://meToipa2.example.net</a>>"
(ipa2:389))<span><br>
[06/Apr/2016:10:18:09 +0000]
NSMMReplicationPlugin - CleanAllRUV Task<br>
(rid 6): Not all replicas online, retrying in
2560 seconds...<br>
<br>
Any pointers would be helpful.<br>
</span></blockquote>
<br>
On ipa1 run:<br>
<br>
% ipa-replica-manage list -v `hostname`<br>
<br>
This will give the list of actual agreements and
their status.<span><font color="#888888"><br>
<br>
rob<br>
<br>
</font></span></blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Red Hat GmbH, <a class="moz-txt-link-freetext" href="http://www.de.redhat.com/">http://www.de.redhat.com/</a>, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill</pre>
</body>
</html>