[Freeipa-users] Cleaning Up an Unholy Mess
Mark Reynolds
mareynol at redhat.com
Thu Aug 25 22:10:30 UTC 2016
On 08/25/2016 02:04 PM, Ian Harding wrote:
>
> On 08/25/2016 10:41 AM, Rob Crittenden wrote:
>> Ian Harding wrote:
>>>
>>> On 08/24/2016 06:33 PM, Rob Crittenden wrote:
>>>> Ian Harding wrote:
>>>>> I tried to simply uninstall and reinstall freeipa-dal and this
>>>>> happened.
>>>>>
>>>>> It only had a replication agreement with freeipa-sea
>>>>>
>>>>> [root at freeipa-dal ianh]# ipa-server-install --uninstall
>>>>>
>>>>> This is a NON REVERSIBLE operation and will delete all data and
>>>>> configuration!
>>>>>
>>>>> Are you sure you want to continue with the uninstall procedure?
>>>>> [no]: yes
>>>>> Shutting down all IPA services
>>>>> Removing IPA client configuration
>>>>> Unconfiguring ntpd
>>>>> Configuring certmonger to stop tracking system certificates for KRA
>>>>> Configuring certmonger to stop tracking system certificates for CA
>>>>> Unconfiguring CA
>>>>> Unconfiguring named
>>>>> Unconfiguring ipa-dnskeysyncd
>>>>> Unconfiguring web server
>>>>> Unconfiguring krb5kdc
>>>>> Unconfiguring kadmin
>>>>> Unconfiguring directory server
>>>>> Unconfiguring ipa_memcached
>>>>> Unconfiguring ipa-otpd
>>>>> [root at freeipa-dal ianh]# ipa-server-install --uninstall
>>>>>
>>>>> This is a NON REVERSIBLE operation and will delete all data and
>>>>> configuration!
>>>>>
>>>>> Are you sure you want to continue with the uninstall procedure?
>>>>> [no]: yes
>>>>>
>>>>> WARNING: Failed to connect to Directory Server to find information
>>>>> about
>>>>> replication agreements. Uninstallation will continue despite the
>>>>> possible
>>>>> existing replication agreements.
>>>>> Shutting down all IPA services
>>>>> Removing IPA client configuration
>>>>> Configuring certmonger to stop tracking system certificates for KRA
>>>>> Configuring certmonger to stop tracking system certificates for CA
>>>>> [root at freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns
>>>>> --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg
>>>>> Directory Manager (existing master) password:
>>>>>
>>>>> The host freeipa-dal.bpt.rocks already exists on the master server.
>>>>> You should remove it before proceeding:
>>>>> % ipa host-del freeipa-dal.bpt.rocks
>>>>> [root at freeipa-dal ianh]#
>>>>>
>>>>> So I tried to delete it again with --force
>>>>>
>>>>> [root at freeipa-sea ianh]# ipa-replica-manage --force del
>>>>> freeipa-dal.bpt.rocks
>>>>> Directory Manager password:
>>>>>
>>>>> 'freeipa-sea.bpt.rocks' has no replication agreement for
>>>>> 'freeipa-dal.bpt.rocks'
>>>>> [root at freeipa-sea ianh]#
>>>>>
>>>>> Can't delete it from the master server either
>>>>>
>>>>> [root at seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks
>>>>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or
>>>>> disabled
>>>>>
>>>>>
>>>>> Now what? I'm running out of things that work.
>>>> Not sure what version of IPA you have but try:
>>>>
>>>> # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks
>>>>
>>>> If this had a CA on it then you'll want to ensure that any replication
>>>> agreements it had have been removed as well.
>>>>
>>>> rob
>>>>
>>> It turns out I'm not smart enough to untangle this mess.
>>>
>>> Is there any way to kind of start over? I managed to delete and
>>> recreate a couple replicas but the problems (obsolete ruv as far as I
>>> can tell) carry on with the new replicas. They won't even replicate
>>> back to the master they were created from.
>> Once you have the right version of 389-ds then then cleanruv tasks work
>> a lot better. What version are you running now?
> 1.3.4.0.
Ian,
Can you the exact version please? rpm -qa | grep 389-ds-base
Thanks,
Mark
> It's handcuffed to my CentOS 7 so I don't want to update it
> outside the CentOS ecosystem. What's the downside of upgrading it from
> source or an RPM for a different flavor of RedHat derived Linux?
>
> I'm a one-man band but I'd be interested in hearing a pitch from someone
> who is super smart on this stuff for a working consulting gig and maybe
> ongoing support. Who would I talk to at RedHat about coming in from the
> cold for full on corporate support?
>
> Thanks!
>
>>> Basically, is there a way to do a fresh install of FreeIPA server, and
>>> do a dump/restore of data from my existing messed up install?
>> Not really, no. You can migrate IPA to IPA but only users and groups and
>> you lose private groups for existing users (they become regular POSIX
>> groups).
>>
>> rob
>>
More information about the Freeipa-users
mailing list