Hi Florence, Thanks for looking into this I appreciate it very much!
``` master# ldapsearch -xLLL -o ldif-wrap=no -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replicationagreement dn Enter LDAP Password: dn: cn=meTose-rhidm03x.se.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=se-rhidm02x.se.example.com-to-se-rhidm01x.se.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=se-rhidm02x.se.example.com-to-se-rhidm04x.se.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config dn: cn=caTose-rhidm03x.se.example.com,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config dn: cn=se-rhidm02x.se.example.com-to-se-rhidm01x.se.example.com,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config dn: cn=se-rhidm02x.se.example.com-to-se-rhidm04x.se.example.com,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config ``` On the master "meTousidc1-rhidm01x.idc1.us.example.com" is there after running ipa-replica install <...> from the replica. This has been found after all my install attempts and I have been removing that entry using. ``` master# ldapmodify -x -D "cn=directory manager" -W <<EOF dn: cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: delete EOF ``` I tried a clean install as per your suggestion but it fails in the same way. Worth to note that `ipa server-del <replica fqdn>` was not possible since I could not find the replica using `ipa server-find`. Maybe that indicates an issue? When running the `ipa-replica-install <...>` command I get the following error and warning. ``` Could not resolve hostname se-rhidm03x.se.example.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes ... WARNING: 2 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: no ``` What I do to install the replica is first manually installing it as a client, adding it to the ipaservers hostgroup and then running the `ipa-replica-install <...>` command. ``` replica# ipa-client-install --domain lnx.example.com --force-join --mkhomedir --no-ntp --principal idmsrvjoin --realm LNX.EXAMPLE.COM master# ipa hostgroup-add-member ipaservers --hosts usidc1-rhidm01x.idc1.us.example.com replica# ipa-replica-install --verbose --setup-dns --forwarder 10.0.2.200 --forwarder 10.0.2.201 --forwarder 10.0.2.202 --setup-ca ``` I tried sending an e-mail with the following files in a tar ball, but it seems to not have been accepted due to the its large size. I have published them on my own website instead, hope that works. master ds389 access: https://www.rexhepi-lindberg.com/iparepl/master/access master ds389 errors: https://www.rexhepi-lindberg.com/iparepl/master/errors replica ds389 access: https://www.rexhepi-lindberg.com/iparepl/replica/access replica ds389 errors: https://www.rexhepi-lindberg.com/iparepl/replica/errors replica-install.log: https://www.rexhepi-lindberg.com/iparepl/replica/ipareplica-install.log -- Markus -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue