Yes I think you are spot on. Replication stopped working and we didnt notice.
This server hadto be rebuilt as it didnt build properly so it got re-added to
IPA and I assume two different IPA servers.
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, 12 October 2012 9:31 a.m.
To: Steven Jones
Cc: Matthew Barr; firstname.lastname@example.org
Subject: Re: [Freeipa-users] Cleaning a host that is both present & not found
Steven Jones wrote:
> Looks like I have this at present as well.
> The advice off RH support is to run an ldapdelete but Im waiting on the
> complete syntax off them and why its happened.
> Meantime I have 2 machines in this state, no one can login.
> So what they have said is,
> Hello Steven, I am still going through all the data available in this case,
> but it looks like you should be able to fix this problem by deleting the
> following two entries using ldapdelete: dn:
> =ods,dc=vuw,dc=ac,dc=nz dn:
> case number is 00716456, if you have RH support maybe link it? so if its a
> clear bug it gets addressed.
The second entry he suggests deleting is your DNS entry, that does not
need to be touched.
This looks like a replication conflict. The same host must have been
created on two separate masters while replication was down. This will
result in the nsuniqueid entry. You need to manually resolve the
differences between the two but as of yet IPA doesn't provide any tools
to help manage this process.
Basically you'll want to merge any values from the entry whose dn is
nsuniqueid=...,cn=computers to the equivalen fqdn=...,cn=computers
entry. This is if you want to preserve any existing keytabs,
certificates, etc. I may be fine to just remove both entries and start
over. Note that you need to be careful not to orphan any service entries
that may be associated with the host.
You'll want to base your searches on cn=computers,cn=accounts,dc
=ods,dc=vuw,dc=ac,dc=nz to get only the matching host(s).
The delete is failing because we expect only one host to be found but
two are so we throw our hands up. A better error message would make this
clearer. If you look in the Apache error log you may see it returns
Freeipa-users mailing list