Hi,
thank you. We have 34 entries in directory with nsuniqueid in DN:

dn: cn=Kerberos Service Password 
Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn: 
cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn: 
cn=locations+nsuniqueid=7a711f07-d11911e6-bea49da2-866883c1,cn=etc,dc=vs,dc=example,dc=cz
dn: 
cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
dn: 
cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz
dn: cn=Default Service Password 
Policy+nsuniqueid=f683e20d-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz
dn: 
cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz
dn: 
cn=cas+nsuniqueid=7a711f0d-d11911e6-bea49da2-866883c1,cn=ca,dc=vs,dc=example,dc=cz
dn: 
cn=dogtag+nsuniqueid=7a711f3e-d11911e6-bea49da2-866883c1,cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
dn: cn=Default Host Password 
Policy+nsuniqueid=f683e20b-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz
dn: 
cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz
dn: 
idnsserverid=tidmipa01.vs.example.cz,cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz
dn: cn=System: Add 
CA+nsuniqueid=7a711f46-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Delete 
CA+nsuniqueid=7a711f4a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Modify 
CA+nsuniqueid=7a711f4e-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read 
CAs+nsuniqueid=7a711f52-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Modify DNS Servers 
Configuration+nsuniqueid=7a711f57-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read DNS Servers 
Configuration+nsuniqueid=7a711f5b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Manage Host 
Principals+nsuniqueid=7a711f6a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Add IPA 
Locations+nsuniqueid=7a711f7b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Modify IPA 
Locations+nsuniqueid=7a711f7f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read IPA 
Locations+nsuniqueid=7a711f83-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Remove IPA 
Locations+nsuniqueid=7a711f87-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read Locations of IPA 
Servers+nsuniqueid=7a711f8b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read Status of Services on IPA 
Servers+nsuniqueid=7a711f8f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Manage Service 
Principals+nsuniqueid=7a711f93-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Manage User 
Principals+nsuniqueid=7a711fa1-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=Default Kerberos Service Password 
Policy+nsuniqueid=f683e211-e16a11e6-bea49da2-866883c1,cn=Kerberos Service 
Password 
Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn: cn=Default Password 
Policy+nsuniqueid=f683e215-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz
dn: cn=Default Password 
Policy+nsuniqueid=f683e21b-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz
dn: cn=Default Password 
Policy+nsuniqueid=f683e221-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn: 
cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz
dn: 
cn=domain+nsuniqueid=7a711f03-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
dn: 
cn=ca+nsuniqueid=7a711f41-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz


The guide describes how to solve dn name  conflict, but I think we should have 
delete them. They looks like they are doubled entries just with 
"+nsuniqueid=.... ". For each of them I have entry without "nsuniqueid" in dn:

dn: 
cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz
dn: cn=ipaservers,cn=ng,cn=alt,dc=vs,dc=example,dc=cz

Is that correct ?

Thanks,
Jan








----- Original Message -----
From: "Martin Basti" <mba...@redhat.com>
To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
Cc: "Jan Karásek" <jan.kara...@elostech.cz>
Sent: Monday, July 10, 2017 7:09:34 PM
Subject: Re: [Freeipa-users] ipa-domainlevel set 1 failed

On 10.07.2017 18:26, Jan Karásek via FreeIPA-users wrote:
> Hello,
>
> I'm having trouble to set the IPA domain level to 1.
>
> When I run the command:
>
> ipa domainlevel-set 1
> ipa: ERROR: Domain Level cannot be raised to 1, existing replication 
> conflicts have to be resolved.
>
> At the moment we have just two IPA server.
>
> I have tried to uninstall all replicas, keeping only first ipa master, but 
> the same error occurred.
>
> While running only one IPA server without any replica, I used 
> ipa-replica-manage list-ruv and clean-ruv to delete all RUVs, but was still 
> unable to raise the domain level.
>
> OS: RHEL 7.3, updated to last IPA version ipa-server-4.4.0-14.
>
> First version of IPA server installed was on RHEL 7.2, then updated to RHEL 
> 7.3.
>
> This is described in RHBA-2017:0089-1
>
>   Previously, if an Identity Management (IdM) upgrade ran simultaneously on
> multiple servers, replication conflict entries were sometimes generated in the
> "cn=topology" subtree.
>
>
> So if I understand it right, there is a new check implemented which prevents 
> raising domain level when this happens.
>
> So my question is what can I do to get rid of "conflict entries" and raise 
> domain level ?
>
> Thanks,
>
> Jan Karásek
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hello,

please use this guide to resolve replication conflicts 
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

-- 
Martin Bašti
Software Engineer
Red Hat Czech
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to