[Freeipa-users] Badly corrupted IPA

Rob Crittenden rcritten at redhat.com
Thu Mar 27 14:08:28 UTC 2014 

Bret Wortman wrote:
> BTW, this also fails when using the web UI -- I can see the entry but
> not delete it.

It sounds like you have a replication conflict entry. Try this search:

$ ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=example,dc=com 
fdqdn=myhost.example.com

You'll probably get something with a dn that includes a nsuniqueid in 
it. That is the conflict entry. IPA can find the host because it 
searches by fqdn too, but it deletes by generating the direct DN and 
since it doesn't match, no delete.

You can delete the wayward entry using ldapdelete.

rob

>
> On 03/27/2014 09:02 AM, Bret Wortman wrote:
>> My IPA corruption continues and I'm afraid I'm going to have to
>> recreate it from scratch since no reasonable means of backup exists
>> (which I understand -- that's not my complaint).
>>
>> Here's what I'm facing:
>>
>> # script -c 'ipa host-find mw79.damascusgrp.com'
>> Script started, file is typescript
>> --------------
>> 1 host matched
>> --------------
>>   Host name: mw79.damascusgrp.com
>>   Principal name: host/mw79.damascusgrp.com at DAMASCUSGRP.COM
>>   Password: False
>>   Member of host-groups: allow_all_hosts
>>   Indirect Member of HBAC rule: allow_all_users_services
>>   Keytab: False
>>   SSH public key fingerprint: [snip] (ssh-dss)
>>
>> ----------------------------
>> Number of entries returned 1
>> ----------------------------
>> Script done, file is typescript
>> # script -c 'ipa host-del mw79.damascusgrp.com'
>> Script started, file is typescript
>> ipa: ERROR: mw79.damascusgrp.com: host not found
>> Script done, file is typescript
>> #
>>
>> I had unenrolled this host and was attempting to re-enroll it, and
>> this is preventing its re-enrollment. Any ideas of how to force
>> deletion of this host entry? I'm not LDAP savvy enough to just go in
>> and start whacking LDAP entries myself, and given that my IPA database
>> has gotten corrupted enough that no IPA CLI command can run without
>> being wrapped in "script" or "strace" or similar, I'm hesitant to go
>> too far. This machine, however, is my program manager's workstation,
>> so it's pretty important to get back up and running.
>>
>> Thanks,
>>
>>
>> --
>> *Bret Wortman*
>>
>> http://damascusgrp.com/
>> http://about.me/wortmanbret
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list