Re: [Freeipa-users] unable to effectively delete a replica agreement

Mon, 04 Jan 2016 11:27:12 -0800 

Karl Forner wrote:
> I am running a master freeIPA called "ipa" in an adelton/freeipa-server
> (freeIPA 4.1.4).
> I am able to create a replica server "ipa2", still in an
> adelton/freeipa-server.
> 
> If I stop my ipa2 replica, and try to delete the replication agreement:
> 
> |%ipa-replica-manage del ipa2.example.com <http://ipa2.example.com>
> --force -v|
> 
> It hangs forever.

How long is forever?

> If I run it using the --cleanup option, it seems to work.

That does other things.

> 
> But when I try to run again from scratch my replica, using the same
> name, I get:
> 
> Checking forwarders, please wait ...
> WARNING: DNS forwarder 10.9.70.7 does not return DNSSEC signatures in
> answers
> Please fix forwarder configuration to enable DNSSEC support.
> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> WARNING: DNSSEC validation will be disabled
> Warning: skipping DNS resolution of host ipa2.example.com
> <http://ipa2.example.com>
> Warning: skipping DNS resolution of host ipa.example.com
> <http://ipa.example.com>
> Using reverse zone(s) 0.17.172.in-addr.arpa.
> A replication agreement for this host already exists. It needs to be
> removed.
> Run this on the master that generated the info file:
>     % ipa-replica-manage del ipa2.example.com <http://ipa2.example.com>
> --force
> 
> On my master:
> # ipa-replica-manage list
> ipas.example.com: master
> ipa.example.com: master
> 
> I manually removed all DNS entries from the 3 zones mentioning ipa2. I
> can check in the web UI, using the search feature that ipa2 has no
> occurrence.
> 
> So I do not understand why the replica install thinks there's still a
> replication agreement.
> And I'd like to know:
> 1) why this command did not work
> 
> |ipa-replica-manage del ipa2.example.com <http://ipa2.example.com>
> --force -v|

Because replication agreements are separate from IPA masters, DNS, etc.

> 
> 2) How could I manually effectively delete this agrrement left-over.
> 

To see the agreements on any given master:

$ ldapsearch -x -D 'cn=directory manager' -W -b
'cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config'

Use ldapdelete to delete the orphan one, or use something like Apache
Studio if you're uncomfortable on the CLI.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to