[Freeipa-users] Zombie Replica !

Rob Crittenden rcritten at redhat.com
Wed Apr 6 13:25:05 UTC 2016 

Prashant Bapat wrote:
> Hi,
>
> We had 4 IPA servers in master master mode with all of them connected to
> each other.
>
> IPA1 <---->  IPA2 (colo 1)
> IPA3 <---->  IPA4 (colo 2)
>
> One of the replica servers (IPA2) had to be rebuild.
>
> So I went ahead and used below commands.
>
> ipa-replica-manage disconnect IPA2 IPA3
> ipa-replica-manage disconnection IPA2 IPA4
> ipa-replica-manage del IPA2 (to remove it on IPA1).
>
> An then ran ipa-server-install --uninstallon IPA2.
>
> Created the replica info file using ipa-replica-prepare IPA2.
>
> When I tried to run ipa-replica-install on IPA2, it says
>
> A replication agreement for this host already exists. It needs to be
> removed.
> Run this on the master that generated the info file:
>      % ipa-replica-manage del ipa2.example.net <http://ipa2.example.net>
> --force
>
> Now on IPA1, no matter what I do it still has references to IPA2.
>
> So far I have tried the following.
>
>  1. ipa-replica-manage del --force IPA2
>  2. ipa-replica-manage del --force --cleanruv IPA2
>  3. /usr/sbin/cleanallruv.pl <http://cleanallruv.pl> -D "cn=directory
>     manager" -w - -b "dc=example,dc=net" -r 6
>
>
> Got the rid = 6 by running
> ldapsearch -Y GSSAPI -b "dc=example,dc=net"
> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
> nsds50ruv
>
> In the directory server logs, I guess its still trying to connect to
> IPA2 and failing. Below are some lines.
>
> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin -
> agmt="cn=meToipa2.example.net <http://meToipa2.example.net>" (ipa2:389):
> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact
> LDAP server) ()
> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task
> (rid 6): Replica not online (agmt="cn=meToipa2.example.net
> <http://meToipa2.example.net>" (ipa2:389))
> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task
> (rid 6): Not all replicas online, retrying in 2560 seconds...
>
> Any pointers would be helpful.

On ipa1 run:

% ipa-replica-manage list -v `hostname`

This will give the list of actual agreements and their status.

rob

More information about the Freeipa-users mailing list