On 12/16/2013 10:37 PM, Rob Crittenden wrote:
Dmitri Pal wrote:On 12/16/2013 10:40 AM, Bret Wortman wrote:I had a replica that was completely failing to respond to its clients, so I removed it by first running "ipa-replica-manage del" on the replica master, then "ipa-server-install -U --uninstall" on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error:: The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp....@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]#What's the right way to clean this up without making the situation worse?Do you use IPA DNS?
What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net?It would appear that the replica uninstallation was a bit incomplete. The lack of replication may be part of, or the cause of, the problem.I guess I would start by double-checking that the remaining master doesn't have an RUV record for the old one:# ipa-replica-manage list-ruv
This returns nothing, so I'm assuming that's good.
If so you can use the clean-ruv command to clean things up. Be very careful what number you plug in there. This is one of those "with great power comes great responsibility" commands.As for the remaining master entries, you'll need to use ldapdelete to remove them.Something like this: # ldapdelete -x -D 'cn=directory manager' -W rcn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com^D
# ldapdelete -x -D 'cn=directory manager' -W -r cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com ^D ldap_delete: Operations error (1) ldap_delete: Operation not allowed on non-leaf (66) #
My syntax may be a bit off but you basically want to delete this entry and all its children. If you're nervous stick in the -n option and it will tell you what its going to do without deleting anything.Actually, the "-n" option just distracted me for 5 minutes -- it had me chasing syntax until I realized that it was just not doing anything and not reporting anything either. Dropping it led to the error above.
Newer IPA has a new command in ipa-replica-manage to make this cleanup easier.Looking forward to upgrading, then. Replica management is a headache for us, but given the benefits IPA has brought, it's worth it. Thanks for all your help.
Once those entries are gone you can delete the host entry and proceed on your way.rob _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users