[Freeipa-users] Replica master in strange state -- how to resolve?
Bret Wortman
bret.wortman at damascusgrp.com
Tue Dec 17 13:16:41 UTC 2013
On 12/16/2013 10:37 PM, Rob Crittenden wrote:
> Dmitri Pal wrote:
>> On 12/16/2013 10:40 AM, Bret Wortman wrote:
>>> I had a replica that was completely failing to respond to its clients,
>>> so I removed it by first running "ipa-replica-manage del" on the
>>> replica master, then "ipa-server-install -U --uninstall" on the
>>> replica. I regenereated the replica file and, upon trying to
>>> re-initialize the replica, received this error:
>>>
>>> :
>>> The host fsipa.spx.net already exists on the master server.
>>> You should remove it before proceeding:
>>> % ipa host-del fsipa.damascusgrp.com
>>> [root at fsipa ~]#
>>>
>>> On the master:
>>>
>>> [root at ipamaster ~]# ipa host-del fsipa.damascusgrp.com
>>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted
>>> or disabled
>>> [root at ipamaster ~]# ipa host-show fsipa.damascusgrp.com
>>> Host name: fsipa.damascusgrp.com
>>> Principal name: host/fsipa.damascusgrp.com at DAMASCUSGRP.COM
>>> Password: False
>>> Keytab: True
>>> Managed by: fsipa.damascusgrp.com
>>> SSH public key fingerprint: ...
>>> :
>>> [root at ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com
>>> 'ipamaster.damascusgrp.com' has no replication agreement for
>>> 'fsipa.damascusgrp.com'
>>> [root at ipamaster ~]#
>>>
>>> What's the right way to clean this up without making the situation
>>> worse?
>>
>> Do you use IPA DNS?
Yes
>> What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net?
>
> It would appear that the replica uninstallation was a bit incomplete.
> The lack of replication may be part of, or the cause of, the problem.
>
> I guess I would start by double-checking that the remaining master
> doesn't have an RUV record for the old one:
>
> # ipa-replica-manage list-ruv
>
This returns nothing, so I'm assuming that's good.
> If so you can use the clean-ruv command to clean things up. Be very
> careful what number you plug in there. This is one of those "with
> great power comes great responsibility" commands.
>
> As for the remaining master entries, you'll need to use ldapdelete to
> remove them.
>
> Something like this:
>
> # ldapdelete -x -D 'cn=directory manager' -W r
> cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com
>
> ^D
>
# ldapdelete -x -D 'cn=directory manager' -W -r
cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com
^D
ldap_delete: Operations error (1)
ldap_delete: Operation not allowed on non-leaf (66)
#
> My syntax may be a bit off but you basically want to delete this entry
> and all its children. If you're nervous stick in the -n option and it
> will tell you what its going to do without deleting anything.
>
Actually, the "-n" option just distracted me for 5 minutes -- it had me
chasing syntax until I realized that it was just not doing anything and
not reporting anything either. Dropping it led to the error above.
> Newer IPA has a new command in ipa-replica-manage to make this cleanup
> easier.
>
Looking forward to upgrading, then. Replica management is a headache for
us, but given the benefits IPA has brought, it's worth it. Thanks for
all your help.
> Once those entries are gone you can delete the host entry and proceed
> on your way.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131217/45440e6f/attachment.p7s>
More information about the Freeipa-users
mailing list