[Freeipa-users] Cleanly Removing a Stubborn IPA Replica Server

Traiano Welcome traiano at gmail.com
Thu Sep 17 11:21:35 UTC 2015 

Hi All

I'm trying to delete replication agreements between a 'master' ipa server and
a replica, but it seems the directory server has gotten into a state where the
replication agreements can't be removed (or some other stale meta-data is
still hanging around).

 (CentOS Linux release 7.1.1503, IPA VERSION: 4.1.0, API_VERSION: 2.112)

When I try to delete replication agreements between master and replica, I get:

---
[root at lolpr-idm-mstr ~]# ipa-replica-manage disconnect
lolsitepr-idm-slve.ipa.local
'lolpr-idm-mstr.ipa.local' has no replication agreement for
'lolsitepr-idm-slve.ipa.local'
---

However, attempts to re-add the replica with  ipa-replica-install ... fails
with "The host lolsitepr-idm-slve.ipa.local already exists on the master server"

Here is the process I'm following to try and delete the replication
agreements:

Try to disconnect the ipa master and replica:

---
[root at lolpr-idm-mstr ~]#
[root at lolpr-idm-mstr ~]# ipa-replica-manage disconnect
lolsitepr-idm-slve.ipa.local
'lolpr-idm-mstr.ipa.local' has no replication agreement for
'lolsitepr-idm-slve.ipa.local'
[root at lolpr-idm-mstr ~]#
---

After re-generating the new .gpg for the replica, copying it to the
ipa replica server, try to re-create the ipa replica:

---
[root at lolsitepr-idm-slve ~]#  ipa-replica-install --setup-ca
--setup-dns --no-forwarders
/var/lib/ipa/replica-info-lolsitepr-idm-slve.ipa.local.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'lolpr-idm-mstr.ipa.local':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
admin at IDM.LOCAL password:

Check SSH connection to remote master
Execute check on remote master
Check connection from master to remote replica 'lolsitepr-idm-slve.ipa.local':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK

Connection from master to replica is OK.

Connection check OK
Using reverse zone(s) xxx.yy.zzz.in-addr.arpa.
The host lolsitepr-idm-slve.ipa.local already exists on the master server.
You should remove it before proceeding:
    % ipa host-del lolsitepr-idm-slve.ipa.local
---

Trying to run "ipa host-del lolsitepr-idm-slve.ipa.local" on the
'master' replica server:

---
[root at lolpr-idm-mstr ~]# ipa host-del lolsitepr-idm-slve.ipa.local
ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled
[root at lolpr-idm-mstr ~]#
---

This makes no sense to me, are the differences in versions of IPA
between the two hosts? NO:

---

Replica:

[root at lolsitepr-idm-slve ~]# rpm -qa  |grep ipa
ipa-client-4.1.0-18.el7.centos.3.x86_64
ipa-server-trust-ad-4.1.0-18.el7.centos.3.x86_64
python-iniparse-0.4-9.el7.noarch
libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
iniparser-3.1-5.el7.x86_64
ipa-python-4.1.0-18.el7.centos.3.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-1.12.2-58.el7_1.6.x86_64

Master:

[root at lolpr-idm-mstr ~]# rpm -qa | grep ipa
ipa-client-4.1.0-18.el7.centos.3.x86_64
ipa-server-trust-ad-4.1.0-18.el7.centos.3.x86_64
iniparser-3.1-5.el7.x86_64
libipa_hbac-python-1.12.2-58.el7_1.6.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
ipa-server-4.1.0-18.el7.centos.3.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-python-4.1.0-18.el7.centos.3.x86_64
ipa-admintools-4.1.0-18.el7.centos.3.x86_64
libipa_hbac-1.12.2-58.el7_1.6.x86_64
---

So I tried using ipa-replica-manage disconnect:

---
[root at lolpr-idm-mstr ~]# ipa-replica-manage disconnect
lolsitepr-idm-slve.ipa.local
'lolpr-idm-mstr.ipa.local' has no replication agreement for
'lolsitepr-idm-slve.ipa.local'
---

[root at lolpr-idm-mstr ~]#
---

How do I force delete the replication agreements between the two hosts
in this case?

Thanks in advance for any help!

Traiano

More information about the Freeipa-users mailing list