[Freeipa-users] error trying to re-setup ipa replica [SOLVED]
Rob Crittenden
rcritten at redhat.com
Wed Oct 1 18:02:28 UTC 2014
Dmitri Pal wrote:
> On 10/01/2014 10:20 AM, Shashi Dahal wrote:
>> Hi,
>>
>> This is what I have.
>>
>> ipa01 - master
>> ipa02 - replica
>> ipa03 - replica
>>
>> ipa02 crashed, and re-setup
>>
>> I used the gpg file from master and trying to re-create the replica:
>> ipa-replica-install ipa02.gpg
>>
>> gives:
>>
>> The host ipa02.local.zone already exists on the master server.
>> You should remove it before proceeding:
>> % ipa host-del ipa02.local.zone
>>
>>
>> I login to the master server and if I do ipa-replica-manage list , it
>> shows: ipa02.local.zone: master
>> Trying to delete it with ipa host-del ipa02.local.zone fails saying:
>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted
>> or disabled
>>
>> ipa-replica-manage del ipa02.local.zone fails saying:
>> 'ipa01.local.zone' has no replication agreement for 'ipa02.local.zone'
>>
>>
>> I searched the mailing list and it was suggested that I should do a
>> ldapsearch and ldapdelete.
>>
>> here is the search:
>>
>> ldapsearch -LLL -x -b
>> cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01
>>
>> dn: cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01
>> objectClass: top
>> objectClass: nsContainer
>> cn: ipa02.local.zone
>>
>> dn: cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01
>> objectClass: nsContainer
>> objectClass: ipaConfigObject
>> objectClass: top
>> ipaConfigString: enabledService
>> ipaConfigString: startOrder 10
>> cn: KDC
>>
>> dn: cn=KPASSWD,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=sp
>> il
>> objectClass: nsContainer
>> objectClass: ipaConfigObject
>> objectClass: top
>> ipaConfigString: enabledService
>> ipaConfigString: startOrder 20
>> cn: KPASSWD
>>
>> dn: cn=MEMCACHE,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=s
>> pil
>> objectClass: nsContainer
>> objectClass: ipaConfigObject
>> objectClass: top
>> ipaConfigString: enabledService
>> ipaConfigString: startOrder 39
>> cn: MEMCACHE
>>
>> dn: cn=HTTP,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01
>> objectClass: nsContainer
>> objectClass: ipaConfigObject
>> objectClass: top
>> ipaConfigString: enabledService
>> ipaConfigString: startOrder 40
>> cn: HTTP
>>
>> dn: cn=DNS,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01
>> objectClass: nsContainer
>> objectClass: ipaConfigObject
>> objectClass: top
>> ipaConfigString: enabledService
>> ipaConfigString: startOrder 30
>> cn: DNS
>>
>>
>> I tried delete, but I get:
>>
>> ldapdelete -x -D
>> 'cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01'
>>
>> ldap_bind: Server is unwilling to perform (53)
>> additional info: Unauthenticated binds are not allowed
>>
>> I have located that there is -W
>>
>> ldapdelete -x -D
>> 'cn=KDC,cn=ipa02.local.zone,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=dc01' -W
>> it askes for LDAP Password:
>>
>> Entering the password gives: ldap_bind: Inappropriate authentication (48)
>>
>>
>> Can anyone who faced similar issues help me on how do I fix it ?
>>
>>
>> Cheers,
>> Shashi
>>
>>
>>
>>
> I think you need to use Directory Manager's or admin's DN as a bind DN.
> The bind DN above seems wrong.
Well, that is a brute-force way of fixing it and not recommended anyway.
I'm glad the bind failed.
I chatted with him over IRC and we resolved it. He still had a
replication agreement for ipa02 on ipa03 so he removed that and was able
to re-install ipa02.
One needs to be careful when deleting a master to be sure that it is
completely gone. If 389-ds still thinks there is a master floating
around there it will accumulate a changelog for it.
rob
More information about the Freeipa-users
mailing list