On 04/07/2016 07:23 AM, Prashant Bapat wrote:
What I have done now was to add a new server, ipa02 and configured replication again and things are fine.


However on IPA1 the 389 ds error logs have reference to the dead ipa2 replica.

[07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - agmt="cn=meToipa2.example.net <http://meToipa2.example.net>" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid 6): Failed to connect to replica(agmt="cn=meToipa2.example.net <http://meToipa2.example.net>" (ipa2:389)). [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid 6): Retrying in 14400 seconds

It will never be able to connect to ipa2 as its gone permanently. Also the ipa-replica-manage list `hostname`command still shows the ipa2 as replica.

How to remove this permanently ???
I don't know why you did get into this state, ipa-replica-manage del should have removed the agreement. You can do it by directly deleting it in DS:
- get the full dn of the agreement
ldapsearch ..... -D "cn=directory manager" -w .... -b cn=config "cn=meToipa2.example.net" dn <http://meToipa2.example.net>
it should return an entry with
dn: <agreement dn>

the do a delete

ldapmodify ..... -D "cn=directory manager" -w ....
dn: <agreement dn>
changetype: delete


Thanks.
--Prashant

On 6 April 2016 at 22:17, Prashant Bapat <prash...@apigee.com <mailto:prash...@apigee.com>> wrote:

    # ipa-replica-manage list `hostname`
    ipa2.example.net <http://ipa2.example.net>: replica
    ipa3.example.net <http://ipa3.example.net>: replica
    ipa4.example.net <http://ipa4.example.net>: replica

    ipa2.example.net <http://ipa2.example.net> should not be there.
    How do I remove it?

    On 6 April 2016 at 18:55, Rob Crittenden <rcrit...@redhat.com
    <mailto:rcrit...@redhat.com>> wrote:

        Prashant Bapat wrote:

            Hi,

            We had 4 IPA servers in master master mode with all of
            them connected to
            each other.

            IPA1 <---->  IPA2 (colo 1)
            IPA3 <---->  IPA4 (colo 2)

            One of the replica servers (IPA2) had to be rebuild.

            So I went ahead and used below commands.

            ipa-replica-manage disconnect IPA2 IPA3
            ipa-replica-manage disconnection IPA2 IPA4
            ipa-replica-manage del IPA2 (to remove it on IPA1).

            An then ran ipa-server-install --uninstallon IPA2.

            Created the replica info file using ipa-replica-prepare IPA2.

            When I tried to run ipa-replica-install on IPA2, it says

            A replication agreement for this host already exists. It
            needs to be
            removed.
            Run this on the master that generated the info file:
                 % ipa-replica-manage del ipa2.example.net
            <http://ipa2.example.net> <http://ipa2.example.net>
            --force

            Now on IPA1, no matter what I do it still has references
            to IPA2.

            So far I have tried the following.

             1. ipa-replica-manage del --force IPA2
             2. ipa-replica-manage del --force --cleanruv IPA2
             3. /usr/sbin/cleanallruv.pl <http://cleanallruv.pl>
            <http://cleanallruv.pl> -D "cn=directory
                manager" -w - -b "dc=example,dc=net" -r 6


            Got the rid = 6 by running
            ldapsearch -Y GSSAPI -b "dc=example,dc=net"
            
'(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
            nsds50ruv

            In the directory server logs, I guess its still trying to
            connect to
            IPA2 and failing. Below are some lines.

            [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin -
            agmt="cn=meToipa2.example.net
            <http://meToipa2.example.net>
            <http://meToipa2.example.net>" (ipa2:389):
            Replication bind with GSSAPI auth failed: LDAP error -1
            (Can't contact
            LDAP server) ()
            [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin -
            CleanAllRUV Task
            (rid 6): Replica not online (agmt="cn=meToipa2.example.net
            <http://meToipa2.example.net>
            <http://meToipa2.example.net>" (ipa2:389))
            [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin -
            CleanAllRUV Task
            (rid 6): Not all replicas online, retrying in 2560 seconds...

            Any pointers would be helpful.


        On ipa1 run:

        % ipa-replica-manage list -v `hostname`

        This will give the list of actual agreements and their status.

        rob






--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael 
O'Neill

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to