David Spångberg wrote:

I have a problem similar to the problem George He talked about last week
in this mailing list:

- http://article.gmane.org/gmane.linux.redhat.freeipa.user/4895

Basically I have a ipa master running and wanted to setup a replica.
However the CA installation step failed and the `ipa-replica-install'
script informed me to perform a `ipa-server-install --uninstall' which I
did. I then ran `ipa-replica-install' without the `--setup-ca' flag
thinking I could use `ipa-ca-install' later.

I got informed that the host already existed on the master and to run
`ipa-replica-manage del' to remove it. If I remember correctly this
command failed complaining about not being able to connect to the ldap
service. I then tried and failed with the `--force' flag which was
discussed in George He:s thread. This is how it looks like for me now:

At the replica server:
$ ipa-replica-install /var/lib/ipa/replica-info-ipa2.example.com.gpg
The host ipa2.example.com already exists on the master server. Depending
on your configuration, you may perform the following:

Remove the replication agreement, if any:
     % ipa-replica-manage del ipa2.example.com
Remove the host entry:
     % ipa host-del ipa2.example.com

At the master server:
$ ipa-replica-manage list
ipa2.example.com: master
ipa.example.com: master

$ ipa-replica-manage del ipa2.example.com
'ipa.example.com' has no replication agreement for 'ipa2.example.com'

$ ipa-replica-manage --force ipa2.example.com
'ipa.example.com' has no replication agreement for 'ipa2.example.com'

$ ipa host-del ipa2.drutt.com
ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or

It seems like `ipa-replica-manage' succeeded to remove just enough
entries in the ldap service to fool the `ipa-replica-manage del' command
but not enough to really uinstall it. Checking the output of for example
`ldapsearch -D "cn=Directory Manager" -w pass -LLL -x cn=ipa-http-delegation'
seems to confirm this.

There is a bug in the installer that if tomcat never starts we don't record the fact that the CA was ever created causing the uninstall to be incomplete. It is unclear whether this is the same problem.

This is unrelated to ipa-replica-manage, it never did anything (no replication agreement).

You are searching in the wrong location for IPA masters, try this instead:

ldapsearch -D "cn=Directory Manager" -w pass -LLL -x -b cn=masters,cn=ipa,cn=etc,dc=example,dc=com

My guess is there will be just a CA entry for replica2. Use ldapdelete to remove any entries for replica2 and you should be able to install.

Note that trying to install IPA then adding the CA when the previous attempt failed is not likely to succeed either. The underlying reason why the CA install failed needs to be addressed.


Freeipa-users mailing list

Reply via email to