Karl Forner wrote:
>
>
> >
> > It hangs forever.
>
> How long is forever?
>
>
> officially it's about 15 mns. Do you mean that this delay could be
> expected ?
Forever is a measurement of patience. I'd have expected a timeout at
some point. To really diagnose things we'd probably need to instrument
ipa-replica-manage to find out where it is getting stuck.
>
>
> > If I run it using the --cleanup option, it seems to work.
>
> That does other things.
>
>
> and actually it did not really work.
All cleanup does is remove the host as an IPA master. It does nothing
with agreements.
Did you find the agreement using the ldapsearch I proposed?
rob
>
>
>
> >
> > But when I try to run again from scratch my replica, using the same
> > name, I get:
> >
> > Checking forwarders, please wait ...
> > WARNING: DNS forwarder 10.9.70.7 does not return DNSSEC signatures in
> > answers
> > Please fix forwarder configuration to enable DNSSEC support.
> > (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> > WARNING: DNSSEC validation will be disabled
> > Warning: skipping DNS resolution of host ipa2.example.com
> <http://ipa2.example.com>
> > <http://ipa2.example.com>
> > Warning: skipping DNS resolution of host ipa.example.com
> <http://ipa.example.com>
> > <http://ipa.example.com>
> > Using reverse zone(s) 0.17.172.in-addr.arpa.
> > A replication agreement for this host already exists. It needs to be
> > removed.
> > Run this on the master that generated the info file:
> > % ipa-replica-manage del ipa2.example.com
> <http://ipa2.example.com> <http://ipa2.example.com>
> > --force
> >
> > On my master:
> > # ipa-replica-manage list
> > ipas.example.com <http://ipas.example.com>: master
> > ipa.example.com <http://ipa.example.com>: master
> >
> > I manually removed all DNS entries from the 3 zones mentioning ipa2. I
> > can check in the web UI, using the search feature that ipa2 has no
> > occurrence.
> >
> > So I do not understand why the replica install thinks there's still a
> > replication agreement.
> > And I'd like to know:
> > 1) why this command did not work
> >
> > |ipa-replica-manage del ipa2.example.com <http://ipa2.example.com>
> <http://ipa2.example.com>
> > --force -v|
>
> Because replication agreements are separate from IPA masters, DNS, etc.
>
> >
> > 2) How could I manually effectively delete this agrrement left-over.
> >
>
> To see the agreements on any given master:
>
> $ ldapsearch -x -D 'cn=directory manager' -W -b
> 'cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config'
>
> Use ldapdelete to delete the orphan one, or use something like Apache
> Studio if you're uncomfortable on the CLI.
>
> rob
>
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
