[Freeipa-users] last step in retiring old RHEL 6 (IPA 3.0.0) servers

Petr Vobornik pvoborni at redhat.com
Thu Sep 17 11:58:42 UTC 2015 

On 09/17/2015 01:15 PM, Martin Kosek wrote:
> On 09/16/2015 06:54 PM, Craig White wrote:
>> Virtually completed the steps listed here...
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/migrating-ipa-proc.html
>>
>> Managed to get IPA2 deleted and removed from 'ipa-replica-manage list' so now it is down to IPA1. No amount of effort will seem to kill that sucker off.
>>
>> ipa-replica-manage del ipa1.stt.local --force
>> Connection to 'ipa1.stt.local' failed:
>> Forcing removal of ipa1.stt.local
>> Skipping calculation to determine if one or more masters would be orphaned.
>> No RUV records found.
>>
>> $ ipa-replica-manage del ipa1.stt.local --force -c
>> Connection to 'ipa1.stt.local' failed:
>> Forcing removal of ipa1.stt.local
>> Skipping calculation to determine if one or more masters would be orphaned.
>> No RUV records found.
>>
>> $ ipa-replica-manage list
>> ipa1.stt.local: master
>> ipa3.stt.local: master
>> ipa4.stt.local: master
>>
>> Obviously connection to ipa1 failed because in previous step, I had to shut it down on ipa1 (ipactl stop)
>>
>> What's the trick to get rid of an old, discontinued 'master' ?
>>
>> Craig White
>
> Quickly looking at ipa-replica-manage code, the del command will end if there
> is no RUV. So it seems that in some of your previous RUV was deleted, but
> server record was not.
>
> What does
> # ipa-replica-manage list-ruv
> show?
>
> Petr or Honza, is the only option here to
> 1) Use ldapdelete to delete the master record in cn=masters as a hotfix for
> this issue

It will fix the replica manage output but replica cleanup does more 
things than just a removal of master entry. It also:
     deletes services of the host
     removes s4u2proxy configuration
     removes some ACIs

More info:
https://git.fedorahosted.org/cgit/freeipa.git/tree/ipaserver/install/replication.py#n1185


> 2) File a ticket to avoid get_ruv function exit the whole "del" command when
> --force is in play to fix this long-term

https://fedorahosted.org/freeipa/ticket/5307

>
>>

-- 
Petr Vobornik

More information about the Freeipa-users mailing list