[Freeipa-users] Re: ipa-domainlevel set 1 failed

Tue, 11 Jul 2017 06:49:32 -0700 


On 07/11/2017 03:24 PM, Jan Karásek via FreeIPA-users wrote:

Hi,
thank you. We have 34 entries in directory with nsuniqueid in DN:

dn: cn=Kerberos Service Password 
Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn: 
cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn: 
cn=locations+nsuniqueid=7a711f07-d11911e6-bea49da2-866883c1,cn=etc,dc=vs,dc=example,dc=cz
dn: 
cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
dn: 
cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz
dn: cn=Default Service Password 
Policy+nsuniqueid=f683e20d-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz
dn: 
cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz
dn: 
cn=cas+nsuniqueid=7a711f0d-d11911e6-bea49da2-866883c1,cn=ca,dc=vs,dc=example,dc=cz
dn: 
cn=dogtag+nsuniqueid=7a711f3e-d11911e6-bea49da2-866883c1,cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
dn: cn=Default Host Password 
Policy+nsuniqueid=f683e20b-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz
dn: 
cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz
dn: 
idnsserverid=tidmipa01.vs.example.cz,cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz
dn: cn=System: Add 
CA+nsuniqueid=7a711f46-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Delete 
CA+nsuniqueid=7a711f4a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Modify 
CA+nsuniqueid=7a711f4e-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read 
CAs+nsuniqueid=7a711f52-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Modify DNS Servers 
Configuration+nsuniqueid=7a711f57-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read DNS Servers 
Configuration+nsuniqueid=7a711f5b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Manage Host 
Principals+nsuniqueid=7a711f6a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Add IPA 
Locations+nsuniqueid=7a711f7b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Modify IPA 
Locations+nsuniqueid=7a711f7f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read IPA 
Locations+nsuniqueid=7a711f83-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Remove IPA 
Locations+nsuniqueid=7a711f87-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read Locations of IPA 
Servers+nsuniqueid=7a711f8b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read Status of Services on IPA 
Servers+nsuniqueid=7a711f8f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Manage Service 
Principals+nsuniqueid=7a711f93-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Manage User 
Principals+nsuniqueid=7a711fa1-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=Default Kerberos Service Password 
Policy+nsuniqueid=f683e211-e16a11e6-bea49da2-866883c1,cn=Kerberos Service 
Password 
Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn: cn=Default Password 
Policy+nsuniqueid=f683e215-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz
dn: cn=Default Password 
Policy+nsuniqueid=f683e21b-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz
dn: cn=Default Password 
Policy+nsuniqueid=f683e221-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn: 
cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz
dn: 
cn=domain+nsuniqueid=7a711f03-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
dn: 
cn=ca+nsuniqueid=7a711f41-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz


The guide describes how to solve dn name  conflict, but I think we should have delete them. They 
looks like they are doubled entries just with "+nsuniqueid=.... ". For each of them I 
have entry without "nsuniqueid" in dn:

dn: 
cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz
dn: cn=ipaservers,cn=ng,cn=alt,dc=vs,dc=example,dc=cz

Is that correct ?
the guide covers scenarios where you want to keep both entries or the conflict entry. If you just have a "valid" entry and a "conflict" entry as duplicate you can delete the conflict directly. 

Thanks,
Jan








----- Original Message -----
From: "Martin Basti" <mba...@redhat.com>
To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
Cc: "Jan Karásek" <jan.kara...@elostech.cz>
Sent: Monday, July 10, 2017 7:09:34 PM
Subject: Re: [Freeipa-users] ipa-domainlevel set 1 failed

On 10.07.2017 18:26, Jan Karásek via FreeIPA-users wrote:

Hello,

I'm having trouble to set the IPA domain level to 1.

When I run the command:

ipa domainlevel-set 1
ipa: ERROR: Domain Level cannot be raised to 1, existing replication conflicts 
have to be resolved.

At the moment we have just two IPA server.

I have tried to uninstall all replicas, keeping only first ipa master, but the 
same error occurred.

While running only one IPA server without any replica, I used 
ipa-replica-manage list-ruv and clean-ruv to delete all RUVs, but was still 
unable to raise the domain level.

OS: RHEL 7.3, updated to last IPA version ipa-server-4.4.0-14.

First version of IPA server installed was on RHEL 7.2, then updated to RHEL 7.3.

This is described in RHBA-2017:0089-1

   Previously, if an Identity Management (IdM) upgrade ran simultaneously on
multiple servers, replication conflict entries were sometimes generated in the
"cn=topology" subtree.


So if I understand it right, there is a new check implemented which prevents 
raising domain level when this happens.

So my question is what can I do to get rid of "conflict entries" and raise 
domain level ?

Thanks,

Jan Karásek
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hello,

please use this guide to resolve replication conflicts
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html



--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric 
Shander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to