[Freeipa-users] Replica master in strange state -- how to resolve?

Bret Wortman bret.wortman at damascusgrp.com
Tue Dec 17 14:24:52 UTC 2013 

On 12/17/2013 09:15 AM, Rob Crittenden wrote:
> Bret Wortman wrote:
>>
>> On 12/16/2013 10:37 PM, Rob Crittenden wrote:
>>> Dmitri Pal wrote:
>>>> On 12/16/2013 10:40 AM, Bret Wortman wrote:
>>>>> I had a replica that was completely failing to respond to its 
>>>>> clients,
>>>>> so I removed it by first running "ipa-replica-manage del" on the
>>>>> replica master, then "ipa-server-install -U --uninstall" on the
>>>>> replica. I regenereated the replica file and, upon trying to
>>>>> re-initialize the replica, received this error:
>>>>>
>>>>> :
>>>>> The host fsipa.spx.net already exists on the master server.
>>>>> You should remove it before proceeding:
>>>>>     % ipa host-del fsipa.damascusgrp.com
>>>>> [root at fsipa ~]#
>>>>>
>>>>> On the master:
>>>>>
>>>>> [root at ipamaster ~]# ipa host-del fsipa.damascusgrp.com
>>>>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted
>>>>> or disabled
>>>>> [root at ipamaster ~]# ipa host-show fsipa.damascusgrp.com
>>>>>   Host name: fsipa.damascusgrp.com
>>>>>   Principal name: host/fsipa.damascusgrp.com at DAMASCUSGRP.COM
>>>>>   Password: False
>>>>>   Keytab: True
>>>>>   Managed by: fsipa.damascusgrp.com
>>>>>   SSH public key fingerprint: ...
>>>>>   :
>>>>> [root at ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com
>>>>> 'ipamaster.damascusgrp.com' has no replication agreement for
>>>>> 'fsipa.damascusgrp.com'
>>>>> [root at ipamaster ~]#
>>>>>
>>>>> What's the right way to clean this up without making the situation
>>>>> worse?
>>>>
>>>> Do you use IPA DNS?
>>
>> Yes
>>>> What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net?
>>>
>>> It would appear that the replica uninstallation was a bit incomplete.
>>> The lack of replication may be part of, or the cause of, the problem.
>>>
>>> I guess I would start by double-checking that the remaining master
>>> doesn't have an RUV record for the old one:
>>>
>>> # ipa-replica-manage list-ruv
>>>
>> This returns nothing, so I'm assuming that's good.
>>
>>> If so you can use the clean-ruv command to clean things up. Be very
>>> careful what number you plug in there. This is one of those "with
>>> great power comes great responsibility" commands.
>>>
>>> As for the remaining master entries, you'll need to use ldapdelete to
>>> remove them.
>>>
>>> Something like this:
>>>
>>> # ldapdelete -x -D 'cn=directory manager' -W r
>>> cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com 
>>>
>>>
>>> ^D
>>>
>> # ldapdelete -x -D 'cn=directory manager' -W -r
>> cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com
>> ^D
>> ldap_delete: Operations error (1)
>> ldap_delete: Operation not allowed on non-leaf (66)
>> #
>
> Strange. The -r is for recursion and should delete all the children too.
>
> Oh well. Instead try this:
>
> ldapsearch -LLL -x -D 'cn=Directory manager' -W -b 
> cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com dn 
>
>
> Those are all the dns to pass to ldapdelete. Delete the leaf nodes 
> (the service entries) first, then the fsipa value.
>
Worked like a champ. Thanks.

>>> My syntax may be a bit off but you basically want to delete this entry
>>> and all its children. If you're nervous stick in the -n option and it
>>> will tell you what its going to do without deleting anything.
>>>
>> Actually, the "-n" option just distracted me for 5 minutes -- it had me
>> chasing syntax until I realized that it was just not doing anything and
>> not reporting anything either. Dropping it led to the error above.
>
> Right, -n is to show what would be done without actually doing 
> anything. It is handy with a command like this, especially when using 
> recursion.

Sorry, I wasn't clear -- when I used "-n", it just returned immediately. 
Didn't show it doing anything, probably because of the error above, but 
it didn't report that error either; just swallowed it.

>
> cheers
>
> rob
>
>>
>>> Newer IPA has a new command in ipa-replica-manage to make this cleanup
>>> easier.
>>>
>> Looking forward to upgrading, then. Replica management is a headache for
>> us, but given the benefits IPA has brought, it's worth it. Thanks for
>> all your help.
>>
>>> Once those entries are gone you can delete the host entry and proceed
>>> on your way.
>>>
>>> rob
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131217/05e66fc4/attachment.p7s>

More information about the Freeipa-users mailing list