<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Thank you very much! That does it. </div></div><div class="gmail_extra"><br><div class="gmail_quote">On 7 April 2016 at 13:12, Ludwig Krispenz <span dir="ltr"><<a href="mailto:lkrispen@redhat.com" target="_blank">lkrispen@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><span class=""> <br> <div>On 04/07/2016 07:23 AM, Prashant Bapat wrote:<br> </div> <blockquote type="cite"> <div dir="ltr"> <div class="gmail_default">What I have done now was to add a new server, ipa02 and configured replication again and things are fine. </div> <div class="gmail_default"><br> </div> <div class="gmail_default">However on IPA1 the 389 ds error logs have reference to the dead ipa2 replica.</div> <div class="gmail_default"><br> </div> <div class="gmail_default"> <div class="gmail_default"><font face="monospace, monospace">[07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - agmt="cn=<a href="http://meToipa2.example.net" target="_blank">meToipa2.example.net</a>" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) ()</font></div> <div class="gmail_default"><font face="monospace, monospace">[07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid 6): Failed to connect to replica(agmt="cn=<a href="http://meToipa2.example.net" target="_blank">meToipa2.example.net</a>" (ipa2:389)).</font></div> <div class="gmail_default"><font face="monospace, monospace">[07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid 6): Retrying in 14400 seconds</font></div> <div class="gmail_default"><br> </div> <div class="gmail_default"><font face="trebuchet ms, sans-serif">It will never be able to connect to ipa2 as its gone permanently. Also the </font><span> </span><span style="font-size:12.8px"><font face="monospace, monospace">ipa-replica-manage list `hostname`</font><font face="trebuchet ms, sans-serif"> command still shows the ipa2 as replica. </font></span></div> <div class="gmail_default"><span style="font-size:12.8px"><br> </span></div> <div class="gmail_default"><span style="font-size:12.8px">How to remove this permanently ???</span></div> </div> </div> </blockquote></span> I don't know why you did get into this state, ipa-replica-manage del should have removed the agreement. You can do it by directly deleting it in DS:<br> - get the full dn of the agreement<br> ldapsearch ..... -D "cn=directory manager" -w .... -b cn=config <font face="monospace, monospace">"cn=<a href="http://meToipa2.example.net" target="_blank">meToipa2.example.net" dn</a><br> it should return an entry with<br> dn: <agreement dn><br> <br> the do a delete<br> <br> ldapmodify </font>..... -D "cn=directory manager" -w ....<br> <font face="monospace, monospace">dn: <agreement dn><br> changetype: delete<br> <br> </font><div><div class="h5"> <blockquote type="cite"> <div dir="ltr"> <div class="gmail_default"> <div class="gmail_default"><span style="font-size:12.8px"><br> </span></div> <div class="gmail_default"><span style="font-size:12.8px">Thanks.</span></div> <div class="gmail_default"><span style="font-size:12.8px">--Prashant</span></div> </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On 6 April 2016 at 22:17, Prashant Bapat <span dir="ltr"><<a href="mailto:prashant@apigee.com" target="_blank">prashant@apigee.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"> <div class="gmail_default"> <div class="gmail_default"># ipa-replica-manage list `hostname`</div> <div class="gmail_default"><a href="http://ipa2.example.net" target="_blank">ipa2.example.net</a>: replica</div> <div class="gmail_default"><a href="http://ipa3.example.net" target="_blank">ipa3.example.net</a>: replica</div> <div class="gmail_default"><a href="http://ipa4.example.net" target="_blank">ipa4.example.net</a>: replica</div> <div class="gmail_default"><br> </div> <div class="gmail_default"><a href="http://ipa2.example.net" target="_blank">ipa2.example.net</a> should not be there. How do I remove it?</div> </div> </div> <div> <div> <div class="gmail_extra"><br> <div class="gmail_quote">On 6 April 2016 at 18:55, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Prashant Bapat wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span> Hi,<br> <br> We had 4 IPA servers in master master mode with all of them connected to<br> each other.<br> <br> IPA1 <----> IPA2 (colo 1)<br> IPA3 <----> IPA4 (colo 2)<br> <br> One of the replica servers (IPA2) had to be rebuild.<br> <br> So I went ahead and used below commands.<br> <br> ipa-replica-manage disconnect IPA2 IPA3<br> ipa-replica-manage disconnection IPA2 IPA4<br> ipa-replica-manage del IPA2 (to remove it on IPA1).<br> <br> </span> An then ran ipa-server-install --uninstallon IPA2.<span><br> <br> Created the replica info file using ipa-replica-prepare IPA2.<br> <br> When I tried to run ipa-replica-install on IPA2, it says<br> <br> A replication agreement for this host already exists. It needs to be<br> removed.<br> Run this on the master that generated the info file:<br> </span> % ipa-replica-manage del <a href="http://ipa2.example.net" rel="noreferrer" target="_blank">ipa2.example.net</a> <<a href="http://ipa2.example.net" rel="noreferrer" target="_blank">http://ipa2.example.net</a>><span><br> --force<br> <br> Now on IPA1, no matter what I do it still has references to IPA2.<br> <br> So far I have tried the following.<br> <br> </span> 1. ipa-replica-manage del --force IPA2<br> 2. ipa-replica-manage del --force --cleanruv IPA2<br> 3. /usr/sbin/<a href="http://cleanallruv.pl" rel="noreferrer" target="_blank">cleanallruv.pl</a> <<a href="http://cleanallruv.pl" rel="noreferrer" target="_blank">http://cleanallruv.pl</a>> -D "cn=directory<span><br> manager" -w - -b "dc=example,dc=net" -r 6<br> <br> <br> Got the rid = 6 by running<br> ldapsearch -Y GSSAPI -b "dc=example,dc=net"<br> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'<br> nsds50ruv<br> <br> In the directory server logs, I guess its still trying to connect to<br> IPA2 and failing. Below are some lines.<br> <br> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin -<br> </span> agmt="cn=<a href="http://meToipa2.example.net" rel="noreferrer" target="_blank">meToipa2.example.net</a> <<a href="http://meToipa2.example.net" rel="noreferrer" target="_blank">http://meToipa2.example.net</a>>" (ipa2:389):<span><br> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact<br> LDAP server) ()<br> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task<br> (rid 6): Replica not online (agmt="cn=<a href="http://meToipa2.example.net" rel="noreferrer" target="_blank">meToipa2.example.net</a><br> </span> <<a href="http://meToipa2.example.net" rel="noreferrer" target="_blank">http://meToipa2.example.net</a>>" (ipa2:389))<span><br> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task<br> (rid 6): Not all replicas online, retrying in 2560 seconds...<br> <br> Any pointers would be helpful.<br> </span></blockquote> <br> On ipa1 run:<br> <br> % ipa-replica-manage list -v `hostname`<br> <br> This will give the list of actual agreements and their status.<span><font color="#888888"><br> <br> rob<br> <br> </font></span></blockquote> </div> <br> </div> </div> </div> </blockquote> </div> <br> </div> <br> <fieldset></fieldset> <br> </blockquote> <br> </div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">-- Red Hat GmbH, <a href="http://www.de.redhat.com/" target="_blank">http://www.de.redhat.com/</a>, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill</pre> </font></span></div> <br>--<br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br></div>