[Freeipa-users] Replica master in strange state -- how to resolve?

Rob Crittenden rcritten at redhat.com
Tue Dec 17 14:15:18 UTC 2013 

Bret Wortman wrote:
>
> On 12/16/2013 10:37 PM, Rob Crittenden wrote:
>> Dmitri Pal wrote:
>>> On 12/16/2013 10:40 AM, Bret Wortman wrote:
>>>> I had a replica that was completely failing to respond to its clients,
>>>> so I removed it by first running "ipa-replica-manage del" on the
>>>> replica master, then "ipa-server-install -U --uninstall" on the
>>>> replica. I regenereated the replica file and, upon trying to
>>>> re-initialize the replica, received this error:
>>>>
>>>> :
>>>> The host fsipa.spx.net already exists on the master server.
>>>> You should remove it before proceeding:
>>>>     % ipa host-del fsipa.damascusgrp.com
>>>> [root at fsipa ~]#
>>>>
>>>> On the master:
>>>>
>>>> [root at ipamaster ~]# ipa host-del fsipa.damascusgrp.com
>>>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted
>>>> or disabled
>>>> [root at ipamaster ~]# ipa host-show fsipa.damascusgrp.com
>>>>   Host name: fsipa.damascusgrp.com
>>>>   Principal name: host/fsipa.damascusgrp.com at DAMASCUSGRP.COM
>>>>   Password: False
>>>>   Keytab: True
>>>>   Managed by: fsipa.damascusgrp.com
>>>>   SSH public key fingerprint: ...
>>>>   :
>>>> [root at ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com
>>>> 'ipamaster.damascusgrp.com' has no replication agreement for
>>>> 'fsipa.damascusgrp.com'
>>>> [root at ipamaster ~]#
>>>>
>>>> What's the right way to clean this up without making the situation
>>>> worse?
>>>
>>> Do you use IPA DNS?
>
> Yes
>>> What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net?
>>
>> It would appear that the replica uninstallation was a bit incomplete.
>> The lack of replication may be part of, or the cause of, the problem.
>>
>> I guess I would start by double-checking that the remaining master
>> doesn't have an RUV record for the old one:
>>
>> # ipa-replica-manage list-ruv
>>
> This returns nothing, so I'm assuming that's good.
>
>> If so you can use the clean-ruv command to clean things up. Be very
>> careful what number you plug in there. This is one of those "with
>> great power comes great responsibility" commands.
>>
>> As for the remaining master entries, you'll need to use ldapdelete to
>> remove them.
>>
>> Something like this:
>>
>> # ldapdelete -x -D 'cn=directory manager' -W r
>> cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com
>>
>> ^D
>>
> # ldapdelete -x -D 'cn=directory manager' -W -r
> cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com
> ^D
> ldap_delete: Operations error (1)
> ldap_delete: Operation not allowed on non-leaf (66)
> #

Strange. The -r is for recursion and should delete all the children too.

Oh well. Instead try this:

ldapsearch -LLL -x -D 'cn=Directory manager' -W -b 
cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com dn

Those are all the dns to pass to ldapdelete. Delete the leaf nodes (the 
service entries) first, then the fsipa value.

>> My syntax may be a bit off but you basically want to delete this entry
>> and all its children. If you're nervous stick in the -n option and it
>> will tell you what its going to do without deleting anything.
>>
> Actually, the "-n" option just distracted me for 5 minutes -- it had me
> chasing syntax until I realized that it was just not doing anything and
> not reporting anything either. Dropping it led to the error above.

Right, -n is to show what would be done without actually doing anything. 
It is handy with a command like this, especially when using recursion.

cheers

rob

>
>> Newer IPA has a new command in ipa-replica-manage to make this cleanup
>> easier.
>>
> Looking forward to upgrading, then. Replica management is a headache for
> us, but given the benefits IPA has brought, it's worth it. Thanks for
> all your help.
>
>> Once those entries are gone you can delete the host entry and proceed
>> on your way.
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list