[Freeipa-users] Zombie Replica !

Prashant Bapat prashant at apigee.com
Thu Apr 7 09:25:05 UTC 2016 

Thank you very much! That does it.

On 7 April 2016 at 13:12, Ludwig Krispenz <lkrispen at redhat.com> wrote:

>
> On 04/07/2016 07:23 AM, Prashant Bapat wrote:
>
> What I have done now was to add a new server, ipa02 and configured
> replication again and things are fine.
>
> However on IPA1 the 389 ds error logs have reference to the dead ipa2
> replica.
>
> [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - agmt="cn=
> meToipa2.example.net" (ipa2:389): Replication bind with GSSAPI auth
> failed: LDAP error -1 (Can't contact LDAP server) ()
> [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV
> Task (rid 6): Failed to connect to replica(agmt="cn=meToipa2.example.net"
> (ipa2:389)).
> [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV
> Task (rid 6): Retrying in 14400 seconds
>
> It will never be able to connect to ipa2 as its gone permanently. Also the
>  ipa-replica-manage list `hostname` command still shows the ipa2 as
> replica.
>
> How to remove this permanently ???
>
> I don't know why you did get into this state, ipa-replica-manage del
> should have removed the agreement. You can do it by directly deleting it in
> DS:
> - get the full dn of the agreement
> ldapsearch ..... -D "cn=directory manager" -w .... -b cn=config "cn=meToipa2.example.net"
> dn <http://meToipa2.example.net>
> it should return an entry with
> dn: <agreement dn>
>
> the do a delete
>
> ldapmodify ..... -D "cn=directory manager" -w ....
> dn: <agreement dn>
> changetype: delete
>
>
> Thanks.
> --Prashant
>
> On 6 April 2016 at 22:17, Prashant Bapat <prashant at apigee.com> wrote:
>
>> # ipa-replica-manage list `hostname`
>> ipa2.example.net: replica
>> ipa3.example.net: replica
>> ipa4.example.net: replica
>>
>> ipa2.example.net should not be there. How do I remove it?
>>
>> On 6 April 2016 at 18:55, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>> Prashant Bapat wrote:
>>>
>>>> Hi,
>>>>
>>>> We had 4 IPA servers in master master mode with all of them connected to
>>>> each other.
>>>>
>>>> IPA1 <---->  IPA2 (colo 1)
>>>> IPA3 <---->  IPA4 (colo 2)
>>>>
>>>> One of the replica servers (IPA2) had to be rebuild.
>>>>
>>>> So I went ahead and used below commands.
>>>>
>>>> ipa-replica-manage disconnect IPA2 IPA3
>>>> ipa-replica-manage disconnection IPA2 IPA4
>>>> ipa-replica-manage del IPA2 (to remove it on IPA1).
>>>>
>>>> An then ran ipa-server-install --uninstallon IPA2.
>>>>
>>>> Created the replica info file using ipa-replica-prepare IPA2.
>>>>
>>>> When I tried to run ipa-replica-install on IPA2, it says
>>>>
>>>> A replication agreement for this host already exists. It needs to be
>>>> removed.
>>>> Run this on the master that generated the info file:
>>>>      % ipa-replica-manage del ipa2.example.net <http://ipa2.example.net
>>>> >
>>>> --force
>>>>
>>>> Now on IPA1, no matter what I do it still has references to IPA2.
>>>>
>>>> So far I have tried the following.
>>>>
>>>>  1. ipa-replica-manage del --force IPA2
>>>>  2. ipa-replica-manage del --force --cleanruv IPA2
>>>>  3. /usr/sbin/cleanallruv.pl <http://cleanallruv.pl> -D "cn=directory
>>>>     manager" -w - -b "dc=example,dc=net" -r 6
>>>>
>>>>
>>>> Got the rid = 6 by running
>>>> ldapsearch -Y GSSAPI -b "dc=example,dc=net"
>>>>
>>>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
>>>> nsds50ruv
>>>>
>>>> In the directory server logs, I guess its still trying to connect to
>>>> IPA2 and failing. Below are some lines.
>>>>
>>>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin -
>>>> agmt="cn=meToipa2.example.net <http://meToipa2.example.net>"
>>>> (ipa2:389):
>>>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact
>>>> LDAP server) ()
>>>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task
>>>> (rid 6): Replica not online (agmt="cn=meToipa2.example.net
>>>> <http://meToipa2.example.net>" (ipa2:389))
>>>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task
>>>> (rid 6): Not all replicas online, retrying in 2560 seconds...
>>>>
>>>> Any pointers would be helpful.
>>>>
>>>
>>> On ipa1 run:
>>>
>>> % ipa-replica-manage list -v `hostname`
>>>
>>> This will give the list of actual agreements and their status.
>>>
>>> rob
>>>
>>>
>>
>
>
>
> --
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160407/8b54b0c6/attachment.htm>

More information about the Freeipa-users mailing list