Though you can completely rebuild preprod servers, still it would be
interesting how to reconnect prod servers with replicas again.

2018-02-01 8:41 GMT+03:00 Rob Brown via FreeIPA-users <
freeipa-users@lists.fedorahosted.org>:

> ok, did a little googling, and seems like KRA refers to the "vault"
> feature?
> I didn't originally install this myself, so wasn't sure if it is used for
> anything critical.
> I ran:
> # ipa vault-find
> ----------------
> 0 vaults matched
> ----------------
> ----------------------------
> Number of entries returned 0
> ----------------------------
>
> So, can I assume it is safe to blow away and rebuild the server that has
> this role?
>
> On Wed, Jan 31, 2018 at 3:56 PM, Rob Brown <dtownrobbr...@gmail.com>
> wrote:
>
>> I have 4 IPA servers, all masters, that were previously configured in a
>> "full mesh" replication.
>> 2 in "prod", 2 in "preprod".
>> While trying to fix a replication issue, I accidentally did a:
>> ipa-replica-manage del
>> on one of the prod servers for BOTH preprod servers.
>>
>> Now, the prod servers don't "see" either of the preprod servers, so I
>> effectively created a "split-brain" between the 2 environments. Preprod
>> still "knows about" the prod ipa servers, but I can't figure out how to
>> re-establish the replication agreements.
>>
>> I was about to just blow away the preprod servers and rebuild them (which
>> i did before on one of them) but noticed one of them has the "KRA" role,
>> and it is the only one in the domain that has it.
>> I don't know what that does, or what the effects would be if it went
>> away. I'm guessing bad.
>>
>> I have tried "ipa topologysegment-reinitialize domain" on the segments
>> that preprod still has, but those segments did not show up in prod.
>> ipa topologysuffix-verify domain says "in order" everywhere.
>>
>> At this point I am completely lost on how to proceed.
>>
>> What details can I provide for any help anyone is willing to provide?
>>
>>
>>
>>
>>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>


-- 
Best regards, Andrew.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to