[Freeipa-users] Cleaning Up an Unholy Mess
Rob Crittenden
rcritten at redhat.com
Thu Aug 25 17:41:58 UTC 2016
Ian Harding wrote:
>
>
> On 08/24/2016 06:33 PM, Rob Crittenden wrote:
>> Ian Harding wrote:
>>> I tried to simply uninstall and reinstall freeipa-dal and this happened.
>>>
>>> It only had a replication agreement with freeipa-sea
>>>
>>> [root at freeipa-dal ianh]# ipa-server-install --uninstall
>>>
>>> This is a NON REVERSIBLE operation and will delete all data and
>>> configuration!
>>>
>>> Are you sure you want to continue with the uninstall procedure? [no]: yes
>>> Shutting down all IPA services
>>> Removing IPA client configuration
>>> Unconfiguring ntpd
>>> Configuring certmonger to stop tracking system certificates for KRA
>>> Configuring certmonger to stop tracking system certificates for CA
>>> Unconfiguring CA
>>> Unconfiguring named
>>> Unconfiguring ipa-dnskeysyncd
>>> Unconfiguring web server
>>> Unconfiguring krb5kdc
>>> Unconfiguring kadmin
>>> Unconfiguring directory server
>>> Unconfiguring ipa_memcached
>>> Unconfiguring ipa-otpd
>>> [root at freeipa-dal ianh]# ipa-server-install --uninstall
>>>
>>> This is a NON REVERSIBLE operation and will delete all data and
>>> configuration!
>>>
>>> Are you sure you want to continue with the uninstall procedure? [no]: yes
>>>
>>> WARNING: Failed to connect to Directory Server to find information about
>>> replication agreements. Uninstallation will continue despite the possible
>>> existing replication agreements.
>>> Shutting down all IPA services
>>> Removing IPA client configuration
>>> Configuring certmonger to stop tracking system certificates for KRA
>>> Configuring certmonger to stop tracking system certificates for CA
>>> [root at freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns
>>> --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg
>>> Directory Manager (existing master) password:
>>>
>>> The host freeipa-dal.bpt.rocks already exists on the master server.
>>> You should remove it before proceeding:
>>> % ipa host-del freeipa-dal.bpt.rocks
>>> [root at freeipa-dal ianh]#
>>>
>>> So I tried to delete it again with --force
>>>
>>> [root at freeipa-sea ianh]# ipa-replica-manage --force del
>>> freeipa-dal.bpt.rocks
>>> Directory Manager password:
>>>
>>> 'freeipa-sea.bpt.rocks' has no replication agreement for
>>> 'freeipa-dal.bpt.rocks'
>>> [root at freeipa-sea ianh]#
>>>
>>> Can't delete it from the master server either
>>>
>>> [root at seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks
>>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or
>>> disabled
>>>
>>>
>>> Now what? I'm running out of things that work.
>>
>> Not sure what version of IPA you have but try:
>>
>> # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks
>>
>> If this had a CA on it then you'll want to ensure that any replication
>> agreements it had have been removed as well.
>>
>> rob
>>
>
> It turns out I'm not smart enough to untangle this mess.
>
> Is there any way to kind of start over? I managed to delete and
> recreate a couple replicas but the problems (obsolete ruv as far as I
> can tell) carry on with the new replicas. They won't even replicate
> back to the master they were created from.
Once you have the right version of 389-ds then then cleanruv tasks work
a lot better. What version are you running now?
> Basically, is there a way to do a fresh install of FreeIPA server, and
> do a dump/restore of data from my existing messed up install?
Not really, no. You can migrate IPA to IPA but only users and groups and
you lose private groups for existing users (they become regular POSIX
groups).
rob
More information about the Freeipa-users
mailing list