[Freeipa-users] Unable to Rebuid Replica

[Rob Crittenden]

dbischof at hrz.uni-kassel.de wrote:
> Sina,
> 
> On Fri, 24 Apr 2015, Sina Owolabi wrote:
> 
>> I noticed that my IPA domain masters were out of sync, with users
>> having to login with different passwords depending on the IPA client
>> they were connected to. I noticed it was the replica that was the
>> problem, and I took it down, uninstalled IPA with a
>> "ipa-server-install --uninstall -U", deleted all the folders based on
>> Adam Young's blog
>> (http://adam.younglogic.com/2011/02/sterilizing-for-ipa-uninstall/)
>> and tried to create replica again. It repeatedly fails, and I am
>> hoping for some insight on how to fix this. Please can anyone help?
>> I'm running this on RHEL6.6 and I just updated the entire machine.
>>
>> Installation logs:
>> [...]
> 
> you may have run into this issue:
> 
> https://www.redhat.com/archives/freeipa-users/2015-February/msg00384.html
> 
> In short: You may be missing some Apache modules on the IPA master. This
> problem occurs only, if you attempt to install your replica with
> "--setup-ca", otherwise installation will work.

Well, he said he had it working at one point so I'm not sure this
applies, assuming of course the previous install had a CA.

The current problem you're seeing is related to the fact that sometimes
when the CA fails to install it isn't marked as having tried in the IPA
state tracker so when you uninstall it does nothing with this
half-installed CA instance which causes all future install attempts to
fail because of this left-over stuff.

To remove this pki instance:

# /usr/sbin/pkiremove -pki_instance_root=/var/lib
-pki_instance_name=pki-ca --force

Then re-run ipa-server-install --uninstall just to be sure

Then try the install again.

And before you do any of this, when you deleted this master did you
remove the replication agreements first using ipa-replica-manage?

If not I'd check to be sure there isn't an existing agreement, and the
same with ipa-csreplica-manage.

rob