Steven Jones wrote:

Looks like I have this at present as well.

The advice off RH support is to run an ldapdelete but Im waiting on the 
complete syntax off them and why its happened.

Meantime I have 2 machines in this state, no one can login.


So what they have said is,

Hello Steven, I am still going through all the data available in this case, but 
it looks like you should be able to fix this problem by deleting the following 
two entries using ldapdelete: dn: 
=ods,dc=vuw,dc=ac,dc=nz dn: 

case number is 00716456, if you have RH support maybe link it?  so if its a 
clear bug it gets addressed.

The second entry he suggests deleting is your DNS entry, that does not need to be touched.

This looks like a replication conflict. The same host must have been created on two separate masters while replication was down. This will result in the nsuniqueid entry. You need to manually resolve the differences between the two but as of yet IPA doesn't provide any tools to help manage this process.

Basically you'll want to merge any values from the entry whose dn is nsuniqueid=...,cn=computers to the equivalen fqdn=...,cn=computers entry. This is if you want to preserve any existing keytabs, certificates, etc. I may be fine to just remove both entries and start over. Note that you need to be careful not to orphan any service entries that may be associated with the host.

You'll want to base your searches on cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz to get only the matching host(s).

The delete is failing because we expect only one host to be found but two are so we throw our hands up. A better error message would make this clearer. If you look in the Apache error log you may see it returns SingleMatchExpected.


Freeipa-users mailing list

Reply via email to