Agreed! I would love to know if that is possible... seems like it should be.
As mentioned previously, preprod still has the agreements, but prod does
not.
Not really sure how I should proceed. I'm a bit stuck, not wanting to
further break anything. For now, auth is still working in both envs.
---
[root@ipa-preprod-1201]# ipa topologysegment-find domain
------------------
5 segments matched
------------------
  Segment name: ipa-preprod-1201-to-ipa-preprod-1202
  Left node: ipa-preprod-1201
  Right node: ipa-preprod-1202
  Connectivity: both

  Segment name: ipa-preprod-1201-to-ipa-prod-1201
  Left node: ipa-preprod-1201
  Right node: ipa-prod-1201
  Connectivity: both

  Segment name: ipa-preprod-1202-to-ipa-prod-1201
  Left node: ipa-preprod-1202
  Right node: ipa-prod-1201
  Connectivity: both

  Segment name: ipa-prod-1201-to-ipa-prod-1202
  Left node: ipa-prod-1201
  Right node: ipa-prod-1202
  Connectivity: both

  Segment name: ipa-prod-1202-to-ipa-preprod-1201
  Left node: ipa-prod-1202
  Right node: ipa-preprod-1201
  Connectivity: both

[root@ipa-prod-1201]# ipa topologysegment-find domain
------------------
2 segments matched
------------------
  Segment name: ipa-preprod-1201-to-ipa-preprod-1202
  Left node: ipa-preprod-1201
  Right node: ipa-preprod-1202
  Connectivity: both

  Segment name: ipa-prod-1201-to-ipa-prod-1202
  Left node: ipa-prod-1201
  Right node: ipa-prod-1202
  Connectivity: both
----------------------------
Number of entries returned 2
----------------------------

I think part of the problem is that when I did the ipa-replica-manage del,
it removed the preprod servers:

[root@ipa-prod-1201]# ipa server-find
---------------------
2 IPA servers matched
---------------------
  Server name: ipa-prod-1201
  Min domain level: 0
  Max domain level: 1

  Server name: ipa-prod-1202
  Min domain level: 0
  Max domain level: 1
----------------------------
Number of entries returned 2
----------------------------

but they still exist on the preprod side:

[root@ipa-preprod-1201]# ipa server-find
---------------------
4 IPA servers matched
---------------------
  Server name: ipa-preprod-1201
  Min domain level: 0
  Max domain level: 1

  Server name: ipa-preprod-1202
  Min domain level: 0
  Max domain level: 1

  Server name: ipa-prod-1201
  Min domain level: 0
  Max domain level: 1

  Server name: ipa-prod-1202
  Min domain level: 0
  Max domain level: 1
----------------------------
Number of entries returned 4
----------------------------




On Wed, Jan 31, 2018 at 10:52 PM, Andrew Radygin <randr...@gmail.com> wrote:

> Though you can completely rebuild preprod servers, still it would be
> interesting how to reconnect prod servers with replicas again.
>
> 2018-02-01 8:41 GMT+03:00 Rob Brown via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org>:
>
>> ok, did a little googling, and seems like KRA refers to the "vault"
>> feature?
>> I didn't originally install this myself, so wasn't sure if it is used for
>> anything critical.
>> I ran:
>> # ipa vault-find
>> ----------------
>> 0 vaults matched
>> ----------------
>> ----------------------------
>> Number of entries returned 0
>> ----------------------------
>>
>> So, can I assume it is safe to blow away and rebuild the server that has
>> this role?
>>
>> On Wed, Jan 31, 2018 at 3:56 PM, Rob Brown <dtownrobbr...@gmail.com>
>> wrote:
>>
>>> I have 4 IPA servers, all masters, that were previously configured in a
>>> "full mesh" replication.
>>> 2 in "prod", 2 in "preprod".
>>> While trying to fix a replication issue, I accidentally did a:
>>> ipa-replica-manage del
>>> on one of the prod servers for BOTH preprod servers.
>>>
>>> Now, the prod servers don't "see" either of the preprod servers, so I
>>> effectively created a "split-brain" between the 2 environments. Preprod
>>> still "knows about" the prod ipa servers, but I can't figure out how to
>>> re-establish the replication agreements.
>>>
>>> I was about to just blow away the preprod servers and rebuild them
>>> (which i did before on one of them) but noticed one of them has the "KRA"
>>> role, and it is the only one in the domain that has it.
>>> I don't know what that does, or what the effects would be if it went
>>> away. I'm guessing bad.
>>>
>>> I have tried "ipa topologysegment-reinitialize domain" on the segments
>>> that preprod still has, but those segments did not show up in prod.
>>> ipa topologysuffix-verify domain says "in order" everywhere.
>>>
>>> At this point I am completely lost on how to proceed.
>>>
>>> What details can I provide for any help anyone is willing to provide?
>>>
>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>
>
> --
> Best regards, Andrew.
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to