[Freeipa-users] Antwort: Re: Haunted servers?

Christoph Kaminski christoph.kaminski at biotronik.com
Fri May 29 06:16:21 UTC 2015 

freeipa-users-bounces at redhat.com schrieb am 28.05.2015 13:23:26:

> Von: Alexander Frolushkin <Alexander.Frolushkin at megafon.ru>
> An: "'thierry bordaz'" <tbordaz at redhat.com>
> Kopie: "freeipa-users at redhat.com" <freeipa-users at redhat.com>
> Datum: 28.05.2015 13:24
> Betreff: Re: [Freeipa-users] Haunted servers?
> Gesendet von: freeipa-users-bounces at redhat.com
> 
> Unfortunately, after a couple of minutes, on two of three servers 
> error comes back in little changed form:
> # ipa-replica-manage list-ruv
> unable to decode: {replica 16}
> ....
> 
> Before cleanruv it looked like:
> # ipa-replica-manage list-ruv
> unable to decode: {replica 16} 548a8126000000100000 548a8126000000100000
> ....
> 
> And one server seems to be fixed completely.
> 
> WBR,
> Alexander Frolushkin
> 
> 

we had the same problem (and some more) and yesterday we have successfully 
cleaned the gohst rid's

our fix:

1. stop all cleanallruv Tasks, if it works with ipa-replica-manage 
abort-clean-ruv. It hasnt worked here. We have done it manually on ALL 
replicas with:
        a) replica stop
        b) delete all nsds5ReplicaClean from 
/etc/dirsrv/slapd-HSO/dse.ldif
        c) replica start

2. prepare on EACH ipa a cleanruv ldif file with ALL ghost rids inside 
(really ALL from all ipa replicas, we has had some rids only on some 
replicas...)
Example:

dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task:CLEANRUV11

dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task:CLEANRUV22

dn: cn=replica,cn=dc\3Dexample,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task:CLEANRUV37
...

3. do a "ldapmodify -h 127.0.0.1 -D "cn=Directory Manager" -W -x -f 
$your-cleanruv-file.ldif" on all replicas AT THE SAME TIME :) we used 
terminator  for it (https://launchpad.net/terminator). You can open 
multiple shell windows inside one window and send to all at the same time 
the same commands...

4. we have done a re-initialize of each IPA from our first master

5. restart of all replicas

we are not sure about the point 3 and 4. Maybe they are not necessary, but 
we have done it.

If something fails look at defect LDAP entries in whole ldap, we have had 
some entries with 'nsunique-$HASH' after the 'normal' name. We have 
deleted them.

MfG
Christoph Kaminski


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150529/39cb0c0a/attachment.htm>

More information about the Freeipa-users mailing list