Hi, Yes I think you are spot on. Replication stopped working and we didnt notice. This server hadto be rebuilt as it didnt build properly so it got re-added to IPA and I assume two different IPA servers.
regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 12 October 2012 9:31 a.m. To: Steven Jones Cc: Matthew Barr; email@example.com Subject: Re: [Freeipa-users] Cleaning a host that is both present & not found Steven Jones wrote: > HI, > > Looks like I have this at present as well. > > The advice off RH support is to run an ldapdelete but Im waiting on the > complete syntax off them and why its happened. > > Meantime I have 2 machines in this state, no one can login. > > :/ > > So what they have said is, > > ========== > Hello Steven, I am still going through all the data available in this case, > but it looks like you should be able to fix this problem by deleting the > following two entries using ldapdelete: dn: > nsuniqueid=fdda5001-0cf511e2-8bfdc792-b25c661e,cn=computers,cn=accounts,dc > =ods,dc=vuw,dc=ac,dc=nz dn: > idnsName=vuwunicosldedt2,idnsname=ods.vuw.ac.nz,cn=dns,dc=ods,dc=vuw,dc=ac > ,dc=nz > ========= > > case number is 00716456, if you have RH support maybe link it? so if its a > clear bug it gets addressed. The second entry he suggests deleting is your DNS entry, that does not need to be touched. This looks like a replication conflict. The same host must have been created on two separate masters while replication was down. This will result in the nsuniqueid entry. You need to manually resolve the differences between the two but as of yet IPA doesn't provide any tools to help manage this process. Basically you'll want to merge any values from the entry whose dn is nsuniqueid=...,cn=computers to the equivalen fqdn=...,cn=computers entry. This is if you want to preserve any existing keytabs, certificates, etc. I may be fine to just remove both entries and start over. Note that you need to be careful not to orphan any service entries that may be associated with the host. You'll want to base your searches on cn=computers,cn=accounts,dc =ods,dc=vuw,dc=ac,dc=nz to get only the matching host(s). The delete is failing because we expect only one host to be found but two are so we throw our hands up. A better error message would make this clearer. If you look in the Apache error log you may see it returns SingleMatchExpected. rob _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users