[Freeipa-users] Server removal aborted: Deleting this server is not allowed as it would leave your installation without a CA
Florence Blanc-Renaud
flo at redhat.com
Tue Dec 6 07:35:00 UTC 2016
On 12/05/2016 08:15 PM, Robert Kudyba wrote:
> Are there instructions to manually uninstall? I’m getting the below errors.
>
> ipa-server-install -U --uninstall
> ipa.ipapython.install.cli.uninstall_tool(Server): ERROR Server
> removal aborted: Deleting this server is not allowed as it would leave
> your installation without a CA..
> ipa.ipapython.install.cli.uninstall_tool(Server): ERROR The
> ipa-server-install command failed. See /var/log/ipaserver-uninstall.log
> for more information
> [root at trill ~]# cat /var/log/ipaserver-uninstall.log
> 2016-12-05T19:13:45Z DEBUG Logging to /var/log/ipaserver-uninstall.log
> 2016-12-05T19:13:45Z DEBUG ipa-server-install was invoked with arguments
> [] and options: {'no_dns_sshfp': None, 'ignore_topology_disconnect':
> None, 'verbose': False, 'ip_addresses': None, 'domainlevel': None,
> 'mkhomedir': None, 'no_pkinit': None, 'http_cert_files': None, 'no_ntp':
> None, 'subject': None, 'no_forwarders': None, 'external_ca_type': None,
> 'ssh_trust_dns': None, 'domain_name': None, 'idmax': None,
> 'http_cert_name': None, 'dirsrv_cert_files': None,
> 'no_dnssec_validation': None, 'ca_signing_algorithm': None,
> 'no_reverse': None, 'pkinit_cert_files': None, 'unattended': True,
> 'auto_reverse': None, 'auto_forwarders': None, 'no_host_dns': None,
> 'no_sshd': None, 'no_ui_redirect': None, 'ignore_last_of_role': None,
> 'realm_name': None, 'forwarders': None, 'idstart': None, 'external_ca':
> None, 'pkinit_cert_name': None, 'no_ssh': None, 'external_cert_files':
> None, 'no_hbac_allow': None, 'forward_policy': None, 'dirsrv_cert_name':
> None, 'ca_cert_files': None, 'zonemgr': None, 'quiet': False,
> 'setup_dns': None, 'host_name': None, 'dirsrv_config_file': None,
> 'log_file': None, 'reverse_zones': None, 'allow_zone_overlap': None,
> 'uninstall': True}
> 2016-12-05T19:13:45Z DEBUG IPA version 4.4.2-1.fc25
> 2016-12-05T19:13:45Z DEBUG Starting external process
> 2016-12-05T19:13:45Z DEBUG args=/usr/sbin/selinuxenabled
> 2016-12-05T19:13:45Z DEBUG Process finished, return code=0
> 2016-12-05T19:13:45Z DEBUG stdout=
> 2016-12-05T19:13:45Z DEBUG stderr=
> 2016-12-05T19:13:45Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2016-12-05T19:13:45Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2016-12-05T19:13:45Z DEBUG httpd is configured
> 2016-12-05T19:13:45Z DEBUG kadmin is configured
> 2016-12-05T19:13:45Z DEBUG dirsrv is configured
> 2016-12-05T19:13:45Z DEBUG pki-tomcatd is configured
> 2016-12-05T19:13:45Z DEBUG install is not configured
> 2016-12-05T19:13:45Z DEBUG krb5kdc is configured
> 2016-12-05T19:13:45Z DEBUG ntpd is configured
> 2016-12-05T19:13:45Z DEBUG named is not configured
> 2016-12-05T19:13:45Z DEBUG ipa_memcached is configured
> 2016-12-05T19:13:45Z DEBUG filestore has files
> 2016-12-05T19:13:45Z DEBUG Loading Index file from
> '/var/lib/ipa/sysrestore/sysrestore.index'
> 2016-12-05T19:13:45Z DEBUG Loading StateFile from
> '/var/lib/ipa/sysrestore/sysrestore.state'
> 2016-12-05T19:13:45Z DEBUG importing all plugin modules in
> ipaserver.plugins...
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.aci
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.automember
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.automount
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.baseldap
> 2016-12-05T19:13:45Z DEBUG ipaserver.plugins.baseldap is not a valid
> plugin module
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.baseuser
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.batch
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.ca
> <http://ipaserver.plugins.ca>
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.caacl
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.cert
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.certprofile
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.config
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.delegation
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.dns
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.dnsserver
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.dogtag
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.domainlevel
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.group
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.hbac
> 2016-12-05T19:13:45Z DEBUG ipaserver.plugins.hbac is not a valid plugin
> module
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.hbacrule
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.hbacsvc
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.hbacsvcgroup
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.hbactest
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.host
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.hostgroup
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.idrange
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.idviews
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.internal
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.join
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.krbtpolicy
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.ldap2
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.location
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.migration
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.misc
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.netgroup
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.otp
> 2016-12-05T19:13:45Z DEBUG ipaserver.plugins.otp is not a valid plugin
> module
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.otpconfig
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.otptoken
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.passwd
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.permission
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.ping
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.pkinit
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.privilege
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.pwpolicy
> 2016-12-05T19:13:45Z DEBUG Starting external process
> 2016-12-05T19:13:45Z DEBUG args=klist -V
> 2016-12-05T19:13:45Z DEBUG Process finished, return code=0
> 2016-12-05T19:13:45Z DEBUG stdout=Kerberos 5 version 1.14.4
>
> 2016-12-05T19:13:45Z DEBUG stderr=
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.rabase
> 2016-12-05T19:13:45Z DEBUG ipaserver.plugins.rabase is not a valid
> plugin module
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.radiusproxy
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.realmdomains
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.role
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.schema
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.selfservice
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.selinuxusermap
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.server
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.serverrole
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.serverroles
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.service
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.servicedelegation
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.session
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.stageuser
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.sudo
> 2016-12-05T19:13:45Z DEBUG ipaserver.plugins.sudo is not a valid plugin
> module
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.sudocmd
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.sudocmdgroup
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.sudorule
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.topology
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.trust
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.user
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.vault
> 2016-12-05T19:13:45Z DEBUG importing plugin module ipaserver.plugins.virtual
> 2016-12-05T19:13:45Z DEBUG ipaserver.plugins.virtual is not a valid
> plugin module
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.plugins.xmlserver
> 2016-12-05T19:13:45Z DEBUG importing all plugin modules in
> ipaserver.install.plugins...
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.adtrust
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.ca
> <http://ipaserver.install.plugins.ca>_renewal_master
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.dns
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.fix_replica_agreements
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.rename_managed
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.update_ca_topology
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.update_idranges
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.update_managed_permissions
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.update_nis
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.update_pacs
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.update_passsync
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.update_referint
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.update_services
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.update_uniqueness
> 2016-12-05T19:13:45Z DEBUG importing plugin module
> ipaserver.install.plugins.upload_cacrt
> 2016-12-05T19:13:47Z DEBUG Created connection context.ldap2_140085126450512
> 2016-12-05T19:13:47Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-CIS-FORDHAM-EDU.socket from SchemaCache
> 2016-12-05T19:13:47Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-CIS-FORDHAM-EDU.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f681ba2d518>
> 2016-12-05T19:13:47Z DEBUG flushing
> ldapi://%2fvar%2frun%2fslapd-CIS-FORDHAM-EDU.socket from SchemaCache
> 2016-12-05T19:13:47Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-CIS-FORDHAM-EDU.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f681ba87e60>
> 2016-12-05T19:13:47Z DEBUG raw: server_del((u'trill.cis.fordham.edu',),
> ignore_topology_disconnect=False, ignore_last_of_role=False, force=True,
> version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG server_del((u'trill.cis.fordham.edu',),
> continue=False, ignore_topology_disconnect=False,
> ignore_last_of_role=False, force=True, version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG raw: server_find(u'', sizelimit=0,
> version=u'2.215', no_members=False)
> 2016-12-05T19:13:47Z DEBUG server_find(None, sizelimit=0, all=False,
> raw=False, version=u'2.215', no_members=False, pkey_only=False)
> 2016-12-05T19:13:47Z DEBUG raw: topologysuffix_find(None, all=True,
> raw=True, version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG topologysuffix_find(None, all=True, raw=True,
> version=u'2.215', pkey_only=False)
> 2016-12-05T19:13:47Z DEBUG raw: server_role_find(None,
> server_server=u'trill.cis.fordham.edu', status=u'enabled', version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG server_role_find(None,
> server_server=u'trill.cis.fordham.edu', status=u'enabled', all=False,
> raw=False, version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG raw: topologysegment_find(u'domain', None,
> sizelimit=0, version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG topologysegment_find(u'domain', None,
> sizelimit=0, all=False, raw=False, version=u'2.215', pkey_only=False)
> 2016-12-05T19:13:47Z DEBUG raw: config_show(version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG config_show(rights=False, all=False,
> raw=False, version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG raw: dns_is_enabled(version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG dns_is_enabled(version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG raw: ca_is_enabled(version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG ca_is_enabled(version=u'2.215')
> 2016-12-05T19:13:47Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in
> execute
> return_value = self.run()
> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
> 318, in run
> cfgr.run()
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 308, in run
> self.validate()
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 317, in validate
> for nothing in self._validator():
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 376, in __runner
> exc_handler(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 400, in _handle_validate_exception
> self._handle_exception(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 395, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 366, in __runner
> step()
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 363, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 575, in _configure
> next(validator)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 376, in __runner
> exc_handler(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 400, in _handle_validate_exception
> self._handle_exception(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 460, in _handle_exception
> self.__parent._handle_exception(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 395, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 457, in _handle_exception
> super(ComponentBase, self)._handle_exception(exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 395, in _handle_exception
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 366, in __runner
> step()
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py",
> line 363, in <lambda>
> step = lambda: next(self.__gen)
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 81, in run_generator_with_yield_from
> six.reraise(*exc_info)
> File "/usr/lib/python2.7/site-packages/ipapython/install/util.py",
> line 59, in run_generator_with_yield_from
> value = gen.send(prev_value)
> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
> line 71, in _uninstall
> for nothing in self._uninstaller(self.parent):
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
> line 1376, in main
> uninstall_check(self)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
> line 270, in decorated
> func(installer)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
> line 1047, in uninstall_check
> remove_master_from_managed_topology(api, options)
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py",
> line 310, in remove_master_from_managed_topology
> raise ScriptError(str(e))
>
> 2016-12-05T19:13:47Z DEBUG The ipa-server-install command failed,
> exception: ScriptError: Server removal aborted: Deleting this server is
> not allowed as it would leave your installation without a CA..
> 2016-12-05T19:13:47Z ERROR Server removal aborted: Deleting this server
> is not allowed as it would leave your installation without a CA..
> 2016-12-05T19:13:47Z ERROR The ipa-server-install command failed. See
> /var/log/ipaserver-uninstall.log for more information
>
>
>
Hi,
if this server is the last FreeIPA server, the --ignore-last-of-role
option will allow uninstallation:
ipa-server-install --uninstall --ignore-last-of-role -U
But if the topology contains multiple FreeIPA servers, it is recommended
to replicate the CA instance on another server with ipa-ca-install
before uninstalling the server with the CA.
HTH,
Flo.
More information about the Freeipa-users
mailing list