Thank you, that worked. I'm now having issues passing the pki-tomcatd installation but that's another issue.
пт, 21 авг. 2020 г. в 11:17, Florence Blanc-Renaud <[email protected]>: > On 8/19/20 9:52 PM, Konstantin M. Khankin via FreeIPA-users wrote: > > TL;DR: Unfortunately this doesn't help. I see this on Replica when > > running 'ipa-server-install > > --uninstall': u'nsds5replicaLastUpdateStatus': ['Error (19) Replication > > error acquiring replica: Replica has different database generation ID, > > remote replica may need to be initialized (RUV error)']. Does this give > > any hints? > > > > [root@leader ~]# kinit admin > > Password for admin@DOMAIN: > > [root@leader ~]# ipa server-del Replica > > Removing Replica from replication topology, please wait... > > ipa: ERROR: Replica: server not found > > [root@leader ~]# ipa server-del Replica.domain > > Removing Replica.domain from replication topology, please wait... > > ipa: ERROR: Replica.domain: server not found > > [root@leader ~]# ipa host-del Replica > > ipa: ERROR: Replica: host not found > > [root@leader ~]# ipa host-del Replica.domain > > ipa: ERROR: Replica.domain: host not found > > > > [root@leader ~]# ipa-replica-manage list > > Leader.domain: master > > > > [root@replica ~]# ipa-replica-manage list > > Unknown host Replica.domain: Host 'Replica.domain' does not have > > corresponding DNS A/AAAA record > > Hi, > can you try the following command on leader: > ipa server-del Replica.domain --force > > Then as Rob suggested you can look in the LDAP server if there are any > remaining entries referring to Replica: > ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap > > /tmp/db.ldif > ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap -b > cn=config > /tmp/config.ldif > > Look for "Replica.domain" in the ldif files, and if needed use > ldapmodify or you preferred ldap client tool to remove the > entries/attributes. > > flo > > > [root@replica ~]# ipa-server-install --uninstall > > > > This is a NON REVERSIBLE operation and will delete all data and > > configuration! > > It is highly recommended to take a backup of existing data and > > configuration using ipa-backup utility before proceeding. > > > > Are you sure you want to continue with the uninstall procedure? [no]: yes > > > [LDAPEntry(ipapython.dn.DN('cn=meToLeader.domain,cn=replica,cn=dc\=domain,cn=mapping > > > tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], > > u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': > > ['meToLeader.domain'], u'objectClass': ['nsds5replicationagreement', > > 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], > > u'nsDS5ReplicaRoot': ['dc=domain'], u'nsDS5ReplicaHost': > > ['leader.domain'], u'nsds5replicaLastUpdateStatus': ['Error (19) > > Replication error acquiring replica: Replica has different database > > generation ID, remote replica may need to be initialized (RUV error)'], > > u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': > > ['modifiersName modifyTimestamp internalModifiersName > > internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': > > ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], > > u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to > > leader.domain'], u'nsds5replicareapactive': ['0'], > > u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': > > ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE > > memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth > > krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], > > u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE > > entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})] > > > > Replication agreements with the following IPA masters found: > leader.domain. > > Removing any replication agreements before uninstalling the server is > > strongly > > recommended. You can remove replication agreements by running the > following > > command on any other IPA master: > > $ ipa-replica-manage del replica.domain > > > > Are you sure you want to continue with the uninstall procedure? [no]: yes > > Shutting down all IPA services > > Unconfiguring ntpd > > Configuring certmonger to stop tracking system certificates for KRA > > Configuring certmonger to stop tracking system certificates for CA > > Unconfiguring directory server > > ipaserver.install.dsinstance: ERROR Unable to find server cert > > nickname in /etc/dirsrv/slapd-DOMAIN/dse.ldif > > Removing IPA client configuration > > Removing Kerberos service principals from /etc/krb5.keytab > > Disabling client Kerberos and LDAP configurations > > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > > /etc/sssd/sssd.conf.deleted > > Restoring client configuration files > > Unconfiguring the NIS domain. > > nscd daemon is not installed, skip configuration > > nslcd daemon is not installed, skip configuration > > Systemwide CA database updated. > > Client uninstall complete. > > The ipa-client-install command was successful > > > > And after that ipa-replica-install fails as before. > > > > вт, 18 авг. 2020 г. в 23:56, Rob Crittenden <[email protected] > > <mailto:[email protected]>>: > > > > Konstantin M. Khankin via FreeIPA-users wrote: > > > Hi! > > > > > > Bumping this thread. Anyone has any ideas? > > > > I'd uninstall the replica and ensure that all remnants are gone with: > > > > $ ipa server-del <host> > > $ ipa host-del <host> > > > > And if you're extra paranoid do an LDIF dump of the database sift > > thru that. > > > > rob > > > > > > > > Thanks! > > > > > > > > > вс, 9 авг. 2020 г., 08:23 Konstantin M. Khankin > > > <[email protected] > > <mailto:[email protected]> > > <mailto:[email protected] > > <mailto:[email protected]>>>: > > > > > > Hi! > > > > > > I run IPA on CentOS 7. I have two servers (Leader and Replica, > > > though they changed roles couple times because of > > reinstalls), had > > > ca and domain services on both of them, replication set up and > > > working. I had to switch off Replica for 6 months. When I > > turned it > > > on recently, I found expired certificates, couldn't fix them > > easily > > > and lost the old Replica - at least I concluded it was easier > to > > > reinstate the Replica than to detangle the mess I made while > was > > > trying to back out of outdated certs. I hit the same error as > > I do > > > now though - Invalid Credentials (49). > > > > > > So I did the following: > > > > > > 1) on Replica - ipa-server-install --uninstall. > > > 2) on Leader - ipa-replica-manage del --force --clean Replica. > > > 3) removed obsolete replication agreement meToReplica from > > Leader. > > > 4) removed all traces of Replica from DNS. > > > > > > Then I started to install Replica from scratch: > > > > > > 1) ipa-client-install > > > 2) ipa-replica-install --setup-ca --setup-dns --forwarder X > > > --forwarder Y > > > > > > Installation consistently fails with: > > > > > > ''' > > > Run connection check to master > > > Connection check OK > > > Configuring directory server (dirsrv). Estimated time: 30 > seconds > > > <...> > > > [29/42]: setting up initial replication > > > Starting replication, please wait until this has completed. > > > Update in progress, 16 seconds elapsed > > > [ldap://Leader:389] reports: Update failed! Status: [Error > > (49) - > > > LDAP error: Invalid credentials] > > > > > > [error] RuntimeError: Failed to start replication > > > ''' > > > > > > Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors: > > > > > > ''' > > > [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - > > > agmt="cn=meToReplica.domain" (Replica:389) - Replication bind > > with > > > GSSAPI auth failed: LDAP error 49 (Invalid credentials) () > > > """ > > > > > > I verified clocks on both Replica and Leader - they show the > same > > > time (within 1-2 seconds diff window). In fact, at some point > > I had > > > Replica taking time straight from Leader, before they were > > set up to > > > use the other common source. I dumped traffic between Leader > and > > > Replica - indeed, Leader tried to authenticate on Replica and > > > Replica replies "Invalid credentials". > > > > > > I googled this error and read multiple email threads but > nothing > > > helped so far. Replica works fine as IPA client but can't get > > > promoted to a replica. > > > > > > What am I missing? > > > > > > Thanks! > > > > > > -- > > > Khankin Konstantin > > > > > > > > > _______________________________________________ > > > FreeIPA-users mailing list -- > > [email protected] > > <mailto:[email protected]> > > > To unsubscribe send an email to > > [email protected] > > <mailto:[email protected]> > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > > > -- > > Ханкин Константин > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > > -- Ханкин Константин
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
