[Freeipa-users] Re: Help with Ghost Replica removal please.

[Rob Crittenden via FreeIPA-users]

Nicholas Cross via FreeIPA-users wrote:
> Ah got it!  Wonderful.
> 
> The trick as to run the topologysegement-del on the same server it was on.
> 
> It seems i am moving forward with this now - thanks.
> 
> 
> #
> # To remove the topology segment, which removed the replica agreement
> #
> 
> #
> # Show the bad replication agreement
> #
> 
> # ipa-replica-manage list -v `hostname`
> Directory Manager password:
> 
> bad_server.ad.companyx.fm: replica
>   last update status: Error (-1) Problem connecting to replica - LDAP error: 
> Can't contact LDAP server (connection error)
>   last update ended: 1970-01-01 00:00:00+00:00
> ipa003dc.ad.companyx.fm: replica
>   last update status: Error (0) Replica acquired successfully: Incremental 
> update succeeded
>   last update ended: 2023-04-26 06:43:07+00:00
> ipa005.ad.companyx.fm: replica
>   last update status: Error (0) Replica acquired successfully: Incremental 
> update succeeded
>   last update ended: 2023-04-26 06:43:14+00:00
> ipa007.ad.companyx.fm: replica
>   last update status: Error (0) Replica acquired successfully: Incremental 
> update succeeded
>   last update ended: 2023-04-26 06:43:02+00:00
>   
> 
> #
> # find the segment (domain or ca)
> #   
> $ ipa topologysegment-find domain | grep etcd
>   Segment name: ipa006.ad.companyx.fm-to-bad_server.ad.companyx.fm
>   Right node: bad_server.ad.companyx.fm
> 
> #
> # delete that segment
> #
> $ ipa topologysegment-del domain 
> ipa006.ad.companyx.fm-to-bad_server.ad.companyx.fm
> ---------------------------------------------------------
> Deleted segment "ipa006.ad.companyx.fm-to-bad_server.ad.companyx.fm"
> ---------------------------------------------------------
> 
> #
> # check it has gone - tada!
> #
> $ ipa-replica-manage list -v `hostname`
> ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] 
> Permission denied: '/var/log/ipa/cli.log'
> ipa003dc.ad.companyx.fm: replica
>   last update status: Error (0) Replica acquired successfully: Incremental 
> update started
>   last update ended: 1970-01-01 00:00:00+00:00
> ipa005.ad.companyx.fm: replica
>   last update status: Error (0) Replica acquired successfully: Incremental 
> update started
>   last update ended: 1970-01-01 00:00:00+00:00
> ipa007.ad.companyx.fm: replica
>   last update status: Error (0) Replica acquired successfully: Incremental 
> update succeeded
>   last update ended: 2023-04-26 06:46:08+00:00
>   
>   
> 
> #
> # Next up, removing the "LDAP Conflicts" but - "Removal of Segment 
> disconnects topology.Deletion not allowed."
> #
> 
> $ ldapdelete 
> cn=bad_server.ad.companyx.fm-to-ipa006.ad.companyx.fm+nsuniqueid=34b26c01-ceee11ed-9d1d82de-03f3a8a3,cn=ca,cn=topology,cn=ipa,cn=etc,dc=ad,dc=companyx,dc=fm
> SASL/GSSAPI authentication started
> SASL username: nicholas.cr...@ad.companyx.fm
> SASL SSF: 256
> SASL data security layer installed.
> ldap_delete: Server is unwilling to perform (53)
>       additional info: Removal of Segment disconnects topology.Deletion not 
> allowed.
>       
> #
> # I think this is the solution: https://access.redhat.com/solutions/5507711
> #
> # Question1: during running the above RedHat solution, does this only disable 
> the topology replication? and leaves all other dirsrv components running?
> #
> 
> 
> #
> # After that - finally remove the Ghost Replicas - which was the original 
> question. 
> #
> 
> $ ldapsearch -D "cn=Directory Manager" -w $pass -Q -o ldif-wrap=no -LLL -b 
> "dc=ad,dc=companyx,dc=fm" 
> '(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))'
> dn: cn=replica,cn=dc\3Dad\2Cdc\3Dcompanyx\2Cdc\3Dfm,cn=mapping tree,cn=config
> cn: replica
> nsDS5Flags: 1
> nsDS5ReplicaBindDN: cn=replication manager,cn=config
> nsDS5ReplicaBindDNGroup: cn=replication 
> managers,cn=sysaccounts,cn=etc,dc=ad,dc=companyx,dc=fm
> nsDS5ReplicaBindDnGroupCheckInterval: 60
> nsDS5ReplicaId: 56
> nsDS5ReplicaName: a6b5640c-ad3911ed-a50980fb-6203228c
> nsDS5ReplicaRoot: dc=ad,dc=companyx,dc=fm
> nsDS5ReplicaType: 3
> nsState:: OAAAAAAAAABf0EhkAAAAAAAAAAAAAAAA7AAAAAAAAAAFAAAAAAAAAA==
> nsds5ReplicaBackoffMax: 300
> nsds5ReplicaLegacyConsumer: off
> nsds5ReplicaReleaseTimeout: 60
> objectClass: top
> objectClass: nsds5replica
> objectClass: extensibleobject
> nsds5ReplicaCleanRUV: 15:no:0:dc=ad,dc=companyx,dc=fm
> nsds5ReplicaCleanRUV: 24:no:0:dc=ad,dc=companyx,dc=fm
> nsds50ruv: {replicageneration} 5d9e2076000000040000
> nsds50ruv: {replica 56 ldap://ipa006.ad.companyx.fm:389} 63ece66f000000380000 
> 6448d15d000400380000
> nsds50ruv: {replica 46 ldap://ipa005.ad.companyx.fm:389} 63dbcc200001002e0000 
> 6448d115000e002e0000
> nsds50ruv: {replica 48 ldap://ipa007.ad.companyx.fm:389} 63ea4e54000100300000 
> 6448d115000700300000
> nsds50ruv: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 
> 643d03280001003a0000 6448ca410000003a0000
> nsds50ruv: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 
> 643d19680001003c0000 6448c9e40009003c0000
> nsds50ruv: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 
> 643d491e0001003e0000 6448cab40000003e0000
> nsds5agmtmaxcsn: 
> dc=ad,dc=companyx,dc=fm;ipa006.ad.companyx.fm-to-ipa003dc.ad.companyx.fm;ipa003dc.ad.companyx.fm;389;62;6448cf8e000800380000
> nsds5agmtmaxcsn: 
> dc=ad,dc=companyx,dc=fm;ipa006.ad.companyx.fm-to-ipa005.ad.companyx.fm;ipa005.ad.companyx.fm;389;46;6448cf8e000800380000
> nsds5agmtmaxcsn: 
> dc=ad,dc=companyx,dc=fm;ipa006.ad.companyx.fm-to-ipa007.ad.companyx.fm;ipa007.ad.companyx.fm;389;48;6448cf8e000800380000
> nsruvReplicaLastModified: {replica 56 ldap://ipa006.ad.companyx.fm:389} 
> 6448d071
> nsruvReplicaLastModified: {replica 46 ldap://ipa005.ad.companyx.fm:389} 
> 6448d02b
> nsruvReplicaLastModified: {replica 48 ldap://ipa007.ad.companyx.fm:389} 
> 6448d02b
> nsruvReplicaLastModified: {replica 58 ldap://ipa001dc.ad.companyx.fm:389} 
> 6448c956
> nsruvReplicaLastModified: {replica 60 ldap://ipa002dc.ad.companyx.fm:389} 
> 6448c8fb
> nsruvReplicaLastModified: {replica 62 ldap://ipa003dc.ad.companyx.fm:389} 
> 6448c9c9
> nsruvReplicaLastModified: {replica 25} 00000000
> nsruvReplicaLastModified: {replica 23} 00000000
> nsruvReplicaLastModified: {replica 40} 00000000
> nsruvReplicaLastModified: {replica 12} 00000000
> nsruvReplicaLastModified: {replica 21} 00000000
> nsds5ReplicaChangeCount: 790081
> nsds5replicareapactive: 0
> 
> #
> #  Question2: How to remove these? from the above
> #
> 
> nsruvReplicaLastModified: {replica 25} 00000000
> nsruvReplicaLastModified: {replica 23} 00000000
> nsruvReplicaLastModified: {replica 40} 00000000
> nsruvReplicaLastModified: {replica 12} 00000000
> nsruvReplicaLastModified: {replica 21} 00000000
> 
> 
> 
> # this sort of thing doesn't seem to work.
> 
> dn: cn=clean 12,cn=cleanallruv,cn=tasks,cn=config
> changetype: add
> objectclass: top
> objectclass: extensibleObject
> replica-base-dn: dc=ad,dc=companyx,dc=fm
> replica-id: 12
> cn: clean 12

You can try ipa-replica-manage clean-ruv <value> to try to remove
specific values.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue