On ti, 25 tammi 2022, Brian J. Murrell via FreeIPA-users wrote:
On Tue, 2022-01-25 at 09:18 -0500, Rob Crittenden wrote:
So this was formerly a server and you ran ipa-server-install
--uninstall.
Correct.
Did you also run ipa server-del?
No. I thought ipa-server-install --uninstall would do all of the work.
So that's the issue. It is documented in RHEL documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/uninstalling_ipa_servers
-------------------------------------------
To uninstall server.example.com:
On another server, use the ipa server-del command to delete
server.example.com from the topology:
[root@another_server ~]# ipa server-del server.example.com
On server.example.com, use the ipa-server-install --uninstall command:
[root@server ~]# ipa-server-install --uninstall
Make sure all name server (NS) DNS records pointing to
server.example.com are deleted from your DNS zones. This applies
regardless of whether you use integrated DNS managed by IdM or
external DNS.
-------------------------------------------
Was this
server running additional, non-IPA services?
Yes.
Then you ran ipa-client-install?
Correct, as a prerequisite for running ipa-replica-install.
You didn't have any issues with this
host is already enrolled?
No, it's enrolled right now and happily providing gssapi-authenticated
services.
How are you trying to remove the ldap service principal?
In the GUI. Clicking on ldap/[email protected] and then
clicking the delete button there.
Does using a raw LDAP delete help?
ldapdelete -D cn=directory\ manager -W
krbprincipalname=ldap/[email protected],cn=services,cn=accounts,dc=example,dc=com
?
If not, you might need to temporarily fix the LDAP entry schema
consistency before deleting the object. It means you'd need to add
krbPrincipalName attribute back.
Is there something special about the client config that you can't
uninstall the client to ensure the host and service entries for it are
cleaned up?
The client has been uninstalled (as a result of ipa-replica-install --
or maybe it's ipa-server-install you are told to do when ipa-replica-
install fails) --uninstall and re-installed (as a prerequisite to ipa-
replica-install, per
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/creating-the-replica#creating-the-replica-promote,
but I am also now seeing
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/creating-the-replica#creating-the-replica-from-scratch
but the first link was how I set up the server I am now trying to
replicate from).
Honestly though, I don't care which process I use. I was just using
what had worked before.
Cheers,
b.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
