[Freeipa-users] Zombie Replica !

Ludwig Krispenz lkrispen at redhat.com
Thu Apr 7 07:42:37 UTC 2016 

On 04/07/2016 07:23 AM, Prashant Bapat wrote:
> What I have done now was to add a new server, ipa02 and configured 
> replication again and things are fine.
>
> However on IPA1 the 389 ds error logs have reference to the dead ipa2 
> replica.
>
> [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - 
> agmt="cn=meToipa2.example.net <http://meToipa2.example.net>" 
> (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -1 
> (Can't contact LDAP server) ()
> [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV 
> Task (rid 6): Failed to connect to 
> replica(agmt="cn=meToipa2.example.net <http://meToipa2.example.net>" 
> (ipa2:389)).
> [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV 
> Task (rid 6): Retrying in 14400 seconds
>
> It will never be able to connect to ipa2 as its gone permanently. 
> Also the ipa-replica-manage list `hostname`command still shows the 
> ipa2 as replica.
>
> How to remove this permanently ???
I don't know why you did get into this state, ipa-replica-manage del 
should have removed the agreement. You can do it by directly deleting it 
in DS:
- get the full dn of the agreement
ldapsearch ..... -D "cn=directory manager" -w .... -b cn=config 
"cn=meToipa2.example.net" dn <http://meToipa2.example.net>
it should return an entry with
dn: <agreement dn>

the do a delete

ldapmodify ..... -D "cn=directory manager" -w ....
dn: <agreement dn>
changetype: delete

>
> Thanks.
> --Prashant
>
> On 6 April 2016 at 22:17, Prashant Bapat <prashant at apigee.com 
> <mailto:prashant at apigee.com>> wrote:
>
>     # ipa-replica-manage list `hostname`
>     ipa2.example.net <http://ipa2.example.net>: replica
>     ipa3.example.net <http://ipa3.example.net>: replica
>     ipa4.example.net <http://ipa4.example.net>: replica
>
>     ipa2.example.net <http://ipa2.example.net> should not be there.
>     How do I remove it?
>
>     On 6 April 2016 at 18:55, Rob Crittenden <rcritten at redhat.com
>     <mailto:rcritten at redhat.com>> wrote:
>
>         Prashant Bapat wrote:
>
>             Hi,
>
>             We had 4 IPA servers in master master mode with all of
>             them connected to
>             each other.
>
>             IPA1 <---->  IPA2 (colo 1)
>             IPA3 <---->  IPA4 (colo 2)
>
>             One of the replica servers (IPA2) had to be rebuild.
>
>             So I went ahead and used below commands.
>
>             ipa-replica-manage disconnect IPA2 IPA3
>             ipa-replica-manage disconnection IPA2 IPA4
>             ipa-replica-manage del IPA2 (to remove it on IPA1).
>
>             An then ran ipa-server-install --uninstallon IPA2.
>
>             Created the replica info file using ipa-replica-prepare IPA2.
>
>             When I tried to run ipa-replica-install on IPA2, it says
>
>             A replication agreement for this host already exists. It
>             needs to be
>             removed.
>             Run this on the master that generated the info file:
>                  % ipa-replica-manage del ipa2.example.net
>             <http://ipa2.example.net> <http://ipa2.example.net>
>             --force
>
>             Now on IPA1, no matter what I do it still has references
>             to IPA2.
>
>             So far I have tried the following.
>
>              1. ipa-replica-manage del --force IPA2
>              2. ipa-replica-manage del --force --cleanruv IPA2
>              3. /usr/sbin/cleanallruv.pl <http://cleanallruv.pl>
>             <http://cleanallruv.pl> -D "cn=directory
>                 manager" -w - -b "dc=example,dc=net" -r 6
>
>
>             Got the rid = 6 by running
>             ldapsearch -Y GSSAPI -b "dc=example,dc=net"
>             '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
>             nsds50ruv
>
>             In the directory server logs, I guess its still trying to
>             connect to
>             IPA2 and failing. Below are some lines.
>
>             [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin -
>             agmt="cn=meToipa2.example.net
>             <http://meToipa2.example.net>
>             <http://meToipa2.example.net>" (ipa2:389):
>             Replication bind with GSSAPI auth failed: LDAP error -1
>             (Can't contact
>             LDAP server) ()
>             [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin -
>             CleanAllRUV Task
>             (rid 6): Replica not online (agmt="cn=meToipa2.example.net
>             <http://meToipa2.example.net>
>             <http://meToipa2.example.net>" (ipa2:389))
>             [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin -
>             CleanAllRUV Task
>             (rid 6): Not all replicas online, retrying in 2560 seconds...
>
>             Any pointers would be helpful.
>
>
>         On ipa1 run:
>
>         % ipa-replica-manage list -v `hostname`
>
>         This will give the list of actual agreements and their status.
>
>         rob
>
>
>
>
>

-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160407/a2660fed/attachment.htm>

More information about the Freeipa-users mailing list