subject:"\[Freeipa\-users\] Re\: ipa\-replica\-manage \-\-force replica.server fails"

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-03-18 Thread Dmitry Perets via FreeIPA-users

On Mon, Mar 18, 2019 at 4:53 PM Rob Crittenden  wrote:
>
>
> ipa-replica-manage del  --cleanup --force will clean these
> entries up, and others.
>
> rob

Rob,

I tried this. It didn't work. The command itself failed with the same
error message:
PKINIT enabled server': all masters must have IPA master role enabled
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-03-18 Thread Rob Crittenden via FreeIPA-users

Dmitry Perets via FreeIPA-users wrote:
>>
>> Exactly as the others report, I can no longer login to the WebUI. It says 
>> "invalid
>> 'PKINIT enabled server': all masters must have IPA master role enabled" and
>> then throws an exception:
>>
> 
> UPDATE: To resolve it, you can delete the following subtree entirely:
> 
> DN: 
> cn=,cn=masters,cn=ipa,cn=etc,dc=ims,dc=telekom,dc=de
> 
> I think it should be marked as an issue... failed replica shouldn't affect 
> WebUI of other masters...

ipa-replica-manage del  --cleanup --force will clean these
entries up, and others.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-03-18 Thread Dmitry Perets via FreeIPA-users

> 
> Exactly as the others report, I can no longer login to the WebUI. It says 
> "invalid
> 'PKINIT enabled server': all masters must have IPA master role enabled" and
> then throws an exception:
> 

UPDATE: To resolve it, you can delete the following subtree entirely:

DN: 
cn=,cn=masters,cn=ipa,cn=etc,dc=ims,dc=telekom,dc=de

I think it should be marked as an issue... failed replica shouldn't affect 
WebUI of other masters...
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-03-18 Thread Alexander Bokovoy via FreeIPA-users


On ma, 18 maalis 2019, Dmitry Perets via FreeIPA-users wrote:

Sorry, this was actually my response to another thread, but due to some
issue, it was posted like a separate thread... I think it was caused by
GMAIL that popped up when I tried to reply. @moderators, if possible,
please delete this...

Could you please use an email client and quote a context around the
response you do? Because when you are posting through HyperKitty web
interface, no context is left whatsoever in the emails it sends to the
list on your behalf and we are left confused what part of an email you
are replying to.

I know it is possible to quote in HyperKitty web interface too but it
seems to be totally cut out so no real context is available.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-03-18 Thread Dmitry Perets via FreeIPA-users

Sorry, this was actually my response to another thread, but due to some issue, 
it was posted like a separate thread... I think it was caused by GMAIL that 
popped up when I tried to reply. @moderators, if possible, please delete this...
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-03-18 Thread Dmitry Perets via FreeIPA-users

Hi,

I have the same issue right now...
I had two working replicas, and I tried to add the third one. But due
to some issues with ansible playbook, the installation of that third
replica failed in the middle (I believe ansible lost SSH connection
somewhere in the middle). That obviously left the new replica in kinda
undefined state, which is not my issue. My issue is that it affected
WebUI of both other two replicas.

Exactly as the others report, I can no longer login to the WebUI. It
says "invalid 'PKINIT enabled server': all masters must have IPA
master role enabled" and then throws an exception:

TypeError: Cannot read property 'ipapwdexpadvnotify' of undefined
at Object.y.update_password_expiration
(https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1:37205)
at Object.start_runtime
(https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1:17298)
at Object.
(https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1:1262)
at 
https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1:3478
at Object.forEach
(https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/dojo/dojo.js?v=40604:1:29752)
at Object._run_phase
(https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1:3442)
at Object.next_phase
(https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1:3904)
at Object.
(https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1:3631)
at c 
(https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/dojo/dojo.js?v=40604:1:60960)
at e.extend.then.then.t.then
(https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/dojo/dojo.js?v=40604:1:62246)

All the commands offered in this thread give me the same error so far:
"invalid 'PKINIT enabled server': all masters must have IPA master
role enabled"

Fortunately, it seems that the domain services keep working fine,
users can login etc. But WebUI is dead, and the failed replica is
stuck in the list of ipa-replica-manage...

Sounds like a bug...?

--
Regards,
Dmitry Perets.

"The more one knows, the less opinions he shares"
-- Wilhelm Schwebel
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-03-15 Thread Paul Calabro via FreeIPA-users

Also, I think one of the replicas got interrupted during the installation. I 
see this:

ipa server-find --all

...
 Managed suffixes: domain
  Min domain level: 0
  Max domain level: 1
  Enabled server roles: NTP server
...
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-03-15 Thread Paul Calabro via FreeIPA-users

I just bumped into this as well. I think I've tried every permutation of 
commands+options, but I'm getting the "invalid 'PKINIT enabled server': all 
masters must have IPA master role enabled" message as well when running 
"ipa-replica-manage del --force -c ". Any ideas on how to resolve 
this?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-01-09 Thread K. M. Peterson via FreeIPA-users

I located every entry in LDAP that referenced the failed server and removed
each of them.  I know that the entries in the etc ipa masters hierarchies
wouldn't go until I'd removed several of the others, which know included
the custodia entries.  I think there weren't any topology entries by that
point.

Sorry not to be more helpful...

On Tue, Jan 8, 2019 at 5:12 PM Rob Crittenden  wrote:

> K. M. Peterson via FreeIPA-users wrote:
> > I'm going to reply to myself, after several more hours of digging, I
> > discovered that although it wasn't true at the time I posted the above
> > question, eventually, as with the original post from Lachlan Musicman
> > <
> https://lists.fedorahosted.org/archives/users/46343247263810572257541459042951629750/
> >,
> > the WebUI died, and that meant no self-service for the rest of the
> > team.  And that made it into an emergency.
> >
> > So, I fired up my LDAP editor (I've been using JXWorkBench) and went to
> > eradicate all the traces of the failed replica.  Which fixed the issue;
> > and I'm fairly sure there aren't any lingering effects.  I think.
> >
> > But this was the first time I've used the editor to actual effect any
> > changes to things; and I'm going to post the underlying question that
> > raised in a new thread...
> >
> > This seems to have bitten at least a few of us; I'd be happy to know how
> > to file a bug if there's a useful contribution there.  Thanks!
>
> You didn't happen to keep a list of the entries/values you removed did you?
>
> rob
>
> >
> > On Sat, Jan 5, 2019 at 4:47 PM K. M. Peterson  > > wrote:
> >
> > Hate _hate_ to open old threads, but...
> >
> > I'm also seeing this.  I've been trying to add another replica to
> > our topology (this would be on a different subnet than the current
> > pair); the ipa-replica-install command has been failing for various
> > reasons that I've been fixing or circumventing and I've just been
> > re-spinning the new server between each attempt to keep the
> > environment clean.  The latest death was apparently because of an
> > issue with /etc/openldap/ldap.conf which I was debugging and was
> > about to remove the server from IPA and reset it.
> >
> > However, I'm not able to do so.  All attempts are met with "ERROR:
> > invalid 'PKINIT enabled server': all masters must have IPA master
> > role enabled" - in fact, even poking around trying to do an ipa
> > config-show  (on either of the current masters) just generates that
> > error.  I've also tried uninstalling the replica and client on the
> > new host, and it seems to have completed successfully, but I can't
> > re-enroll it either, so it's "dead to the other masters", except...
>
> >
> > There is nothing I want to do at this point other than another
> > iteration on my problem adding another replica.  There's no data on
> > replica, nothing is relying on it, and I've tried as hard as
> > possible to make the installation entirely vanilla.  I haven't
> > manually enabled PKINIT; ipa-pkinit-manage status on the current
> > masters says it's enabled.  As for the server roles,
> > server-role-find shows the two current servers and the new one; the
> > latter's "role status" for CA Server is "absent".  I've had issues
> > before where I've had to enumerate the RUVs and remove them (done
> > that).  Just want the references to this to go away, so that I can
> > keep working towards the most minimal and concise installation.
> >
> > Any ideas on where I can go to get out of this situation?  Many
> thanks!
> >
> > (Everything completely updated to *4.6.4-10.el7.centos, initial
> > installation was about one year ago, domain level 1; tried all the
> > ipa server del and ipa-replica-manage del suggestions which aren't
> > working for me this time, no AD integration...)
> >
> > On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users
> >  > > wrote:
> >
> > Oh, forgot to mention, current domain level is `1`...
> > ___
> > FreeIPA-users mailing list --
> > freeipa-users@lists.fedorahosted.org
> > 
> > To unsubscribe send an email to
> > freeipa-users-le...@lists.fedorahosted.org
> > 
> > Fedora Code of Conduct:
> https://getfedora.org/code-of-conduct.html
> > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >
> >
> >
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
>

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-01-08 Thread Brian Topping via FreeIPA-users

> On Jan 8, 2019, at 3:12 PM, Rob Crittenden  wrote:
> 
> You didn't happen to keep a list of the entries/values you removed did you?
> 
> rob

In my experience, there were dozens of them and I gave up before the thing 
finally recovered. Since others were successful, I’m sure it was possible, but 
it wasn’t clear if there was a certain entry that was responsible or it was 
because I overlooked a single one.___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-01-08 Thread Rob Crittenden via FreeIPA-users

K. M. Peterson via FreeIPA-users wrote:
> I'm going to reply to myself, after several more hours of digging, I
> discovered that although it wasn't true at the time I posted the above
> question, eventually, as with the original post from Lachlan Musicman
> ,
> the WebUI died, and that meant no self-service for the rest of the
> team.  And that made it into an emergency.
> 
> So, I fired up my LDAP editor (I've been using JXWorkBench) and went to
> eradicate all the traces of the failed replica.  Which fixed the issue;
> and I'm fairly sure there aren't any lingering effects.  I think.
> 
> But this was the first time I've used the editor to actual effect any
> changes to things; and I'm going to post the underlying question that
> raised in a new thread...
> 
> This seems to have bitten at least a few of us; I'd be happy to know how
> to file a bug if there's a useful contribution there.  Thanks!

You didn't happen to keep a list of the entries/values you removed did you?

rob

> 
> On Sat, Jan 5, 2019 at 4:47 PM K. M. Peterson  > wrote:
> 
> Hate _hate_ to open old threads, but...
> 
> I'm also seeing this.  I've been trying to add another replica to
> our topology (this would be on a different subnet than the current
> pair); the ipa-replica-install command has been failing for various
> reasons that I've been fixing or circumventing and I've just been
> re-spinning the new server between each attempt to keep the
> environment clean.  The latest death was apparently because of an
> issue with /etc/openldap/ldap.conf which I was debugging and was
> about to remove the server from IPA and reset it.
> 
> However, I'm not able to do so.  All attempts are met with "ERROR:
> invalid 'PKINIT enabled server': all masters must have IPA master
> role enabled" - in fact, even poking around trying to do an ipa
> config-show  (on either of the current masters) just generates that
> error.  I've also tried uninstalling the replica and client on the
> new host, and it seems to have completed successfully, but I can't
> re-enroll it either, so it's "dead to the other masters", except...   
> 
> There is nothing I want to do at this point other than another
> iteration on my problem adding another replica.  There's no data on
> replica, nothing is relying on it, and I've tried as hard as
> possible to make the installation entirely vanilla.  I haven't
> manually enabled PKINIT; ipa-pkinit-manage status on the current
> masters says it's enabled.  As for the server roles,
> server-role-find shows the two current servers and the new one; the
> latter's "role status" for CA Server is "absent".  I've had issues
> before where I've had to enumerate the RUVs and remove them (done
> that).  Just want the references to this to go away, so that I can
> keep working towards the most minimal and concise installation.
> 
> Any ideas on where I can go to get out of this situation?  Many thanks!
> 
> (Everything completely updated to *4.6.4-10.el7.centos, initial
> installation was about one year ago, domain level 1; tried all the
> ipa server del and ipa-replica-manage del suggestions which aren't
> working for me this time, no AD integration...)
> 
> On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users
>  > wrote:
> 
> Oh, forgot to mention, current domain level is `1`...
> ___
> FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> 
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-01-06 Thread K. M. Peterson via FreeIPA-users

I'm going to reply to myself, after several more hours of digging, I
discovered that although it wasn't true at the time I posted the above
question, eventually, as with the original post from Lachlan Musicman
,
the WebUI died, and that meant no self-service for the rest of the team.
And that made it into an emergency.

So, I fired up my LDAP editor (I've been using JXWorkBench) and went to
eradicate all the traces of the failed replica.  Which fixed the issue; and
I'm fairly sure there aren't any lingering effects.  I think.

But this was the first time I've used the editor to actual effect any
changes to things; and I'm going to post the underlying question that
raised in a new thread...

This seems to have bitten at least a few of us; I'd be happy to know how to
file a bug if there's a useful contribution there.  Thanks!

On Sat, Jan 5, 2019 at 4:47 PM K. M. Peterson  wrote:

> Hate _hate_ to open old threads, but...
>
> I'm also seeing this.  I've been trying to add another replica to our
> topology (this would be on a different subnet than the current pair); the
> ipa-replica-install command has been failing for various reasons that
> I've been fixing or circumventing and I've just been re-spinning the new
> server between each attempt to keep the environment clean.  The latest
> death was apparently because of an issue with /etc/openldap/ldap.conf
> which I was debugging and was about to remove the server from IPA and reset
> it.
>
> However, I'm not able to do so.  All attempts are met with "ERROR:
> invalid 'PKINIT enabled server': all masters must have IPA master role
> enabled" - in fact, even poking around trying to do an ipa config-show
> (on either of the current masters) just generates that error.  I've also
> tried uninstalling the replica and client on the new host, and it seems to
> have completed successfully, but I can't re-enroll it either, so it's "dead
> to the other masters", except...
>
> There is nothing I want to do at this point other than another iteration
> on my problem adding another replica.  There's no data on replica, nothing
> is relying on it, and I've tried as hard as possible to make the
> installation entirely vanilla.  I haven't manually enabled PKINIT;
> ipa-pkinit-manage status on the current masters says it's enabled.  As
> for the server roles, server-role-find shows the two current servers and
> the new one; the latter's "role status" for CA Server is "absent".  I've
> had issues before where I've had to enumerate the RUVs and remove them
> (done that).  Just want the references to this to go away, so that I can
> keep working towards the most minimal and concise installation.
>
> Any ideas on where I can go to get out of this situation?  Many thanks!
>
> (Everything completely updated to *4.6.4-10.el7.centos, initial
> installation was about one year ago, domain level 1; tried all the ipa
> server del and ipa-replica-manage del suggestions which aren't working for
> me this time, no AD integration...)
>
> On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Oh, forgot to mention, current domain level is `1`...
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2019-01-05 Thread K. M. Peterson via FreeIPA-users

Hate _hate_ to open old threads, but...

I'm also seeing this.  I've been trying to add another replica to our
topology (this would be on a different subnet than the current pair); the
ipa-replica-install command has been failing for various reasons that I've
been fixing or circumventing and I've just been re-spinning the new server
between each attempt to keep the environment clean.  The latest death was
apparently because of an issue with /etc/openldap/ldap.conf which I was
debugging and was about to remove the server from IPA and reset it.

However, I'm not able to do so.  All attempts are met with "ERROR: invalid
'PKINIT enabled server': all masters must have IPA master role enabled" -
in fact, even poking around trying to do an ipa config-show  (on either of
the current masters) just generates that error.  I've also tried
uninstalling the replica and client on the new host, and it seems to have
completed successfully, but I can't re-enroll it either, so it's "dead to
the other masters", except...

There is nothing I want to do at this point other than another iteration on
my problem adding another replica.  There's no data on replica, nothing is
relying on it, and I've tried as hard as possible to make the installation
entirely vanilla.  I haven't manually enabled PKINIT; ipa-pkinit-manage
status on the current masters says it's enabled.  As for the server roles,
server-role-find shows the two current servers and the new one; the
latter's "role status" for CA Server is "absent".  I've had issues before
where I've had to enumerate the RUVs and remove them (done that).  Just
want the references to this to go away, so that I can keep working towards
the most minimal and concise installation.

Any ideas on where I can go to get out of this situation?  Many thanks!

(Everything completely updated to *4.6.4-10.el7.centos, initial
installation was about one year ago, domain level 1; tried all the ipa
server del and ipa-replica-manage del suggestions which aren't working for
me this time, no AD integration...)

On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Oh, forgot to mention, current domain level is `1`...
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-11-19 Thread Brian Topping via FreeIPA-users

Oh, forgot to mention, current domain level is `1`...
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-11-19 Thread Brian Topping via FreeIPA-users

Oddly, I am having the same problem not too many days later, so I thought I 
would just reply here. I was in the middle of bringing up a new replica when 
the hardware panicked or something. Last messages to console:
```
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/9]: stopping directory server
  [2/9]: saving configuration
  [3/9]: disabling listeners
  [4/9]: enabling DS global lock
  [5/9]: starting directory server
  [6/9]: upgrading server
```

I've tried everything in the thread, starting with the link Mark Reynolds sent 
above. I found the current replication and did the `cleanruv` path (not the 
`all` variant) for the open transaction, then checked it on the other master. 
Still getting the `invalid 'PKINIT enabled server': all masters must have IPA 
master role enabled` message.

Also tried the `ipa-replica-manage del replica.server --force` and `ipa 
server-del --ignore-topology-disconnect --ignore-last-of-role --force 
replica.server` command and got the same error message for both commands.

Any ideas of what I might additionally try?

Thanks for your help!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-26 Thread Rob Crittenden via FreeIPA-users

Ralph Crongeyer wrote:
> Well I got it fixed by using ApacheDirectoryStudio and searching for the
> old stuck replica and deleted all of it's entries, which fixed the issues,
> I wish I would have gotten this email sooner, I would have tried what
> you suggested.
> 
> Thanks for your help with this.

Sure, sorry it took so long.

You may want to run: ipa-replica-manage del replica.server --force --cleanup

Just to ensure you got everything.

rob

> 
> Ralph
> 
> On Wed, Oct 24, 2018 at 5:43 PM Rob Crittenden  > wrote:
> 
> Ralph Crongeyer via FreeIPA-users wrote:
> > So it does allow me to login, however there is a popup that says:
> > "Some operations failed.", and a link "View details", when I click on
> > that it shows:
> > "invalid 'PKINIT enabled server': all masters must have IPA master
> role"  
> > And there is a button that says "OK", when I click on that it
> shows this:
> 
> Ok. Start by running:
> 
> $ kinit admin
> $ ipa domainlevel-get
> 
> If it is 1 you can try
> 
> $ ipa server-del --ignore-topology-disconnect --ignore-last-of-role
> --force replica.server
> 
> rob
> 
> >
> >
> >   Runtime error
> >
> > Web UI got in unrecoverable state during "runtime" phase.
> >
> >
> >       Technical details:
> >
> > y.server_config is undefined
> >
> 
> freeipa/ipa/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187
> >
> 
> start_runtime@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296
> >
> 
> register_phases/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253
> >
> 
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476
> >
> 
> forEach@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752
> >
> 
> _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440
> >
> 
> next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> >
> 
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> >
> 
> d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
> >
> 
> _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
> >
> 
> next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> >
> 
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> >
> 
> d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
> >
> 
> _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
> >
> 
> next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> >
> 
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> > l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
> >
> 
> d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
> >
> 
> dojo/promise/all/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255
> > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> > l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
> >
> 
> d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
> >
> 
> register_phases/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092
> >
> 
> on_success@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471
> >
> 
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200
> >
> 
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993
> >
> 
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830
> >
> 
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380
> >
> 
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826
> > f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586
> >
> 
> dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192
> >
> 
> dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808
> >
> emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712
> > c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469
> >
> l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877
> >
> 
> fireWith@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702
>

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-26 Thread Ralph Crongeyer via FreeIPA-users

Well I got it fixed by using ApacheDirectoryStudio and searching for the
old stuck replica and deleted all of it's entries, which fixed the issues,
I wish I would have gotten this email sooner, I would have tried what you
suggested.

Thanks for your help with this.

Ralph

On Wed, Oct 24, 2018 at 5:43 PM Rob Crittenden  wrote:

> Ralph Crongeyer via FreeIPA-users wrote:
> > So it does allow me to login, however there is a popup that says:
> > "Some operations failed.", and a link "View details", when I click on
> > that it shows:
> > "invalid 'PKINIT enabled server': all masters must have IPA master
> role"
> > And there is a button that says "OK", when I click on that it shows this:
>
> Ok. Start by running:
>
> $ kinit admin
> $ ipa domainlevel-get
>
> If it is 1 you can try
>
> $ ipa server-del --ignore-topology-disconnect --ignore-last-of-role
> --force replica.server
>
> rob
>
> >
> >
> >   Runtime error
> >
> > Web UI got in unrecoverable state during "runtime" phase.
> >
> >
> >   Technical details:
> >
> > y.server_config is undefined
> > freeipa/ipa/ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187
> > start_runtime@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296
> > register_phases/<@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253
> > _run_phase/<@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476
> > forEach@
> https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752
> > _run_phase@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440
> > next_phase@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> > _run_phase/<@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> > d/t.then@
> https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
> > _run_phase@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
> > next_phase@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> > _run_phase/<@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> > d/t.then@
> https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
> > _run_phase@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
> > next_phase@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> > _run_phase/<@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> > l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
> > d/this.resolve@
> https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
> > dojo/promise/all/ https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255
> > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> > l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
> > d/this.resolve@
> https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
> > register_phases/ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092
> > on_success@
> https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471
> > freeipa/rpc/ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200
> > freeipa/rpc/ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993
> > freeipa/rpc/ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830
> > freeipa/rpc/ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380
> > freeipa/rpc/ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826
> > f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586
> > dojo/on/ https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192
> > dojo/on/ https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808
> > emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712
> > c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469
> > l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877
> > fireWith@
> https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702
> > k@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:5346
> > t/<@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:9152
> >
> > On Tue, Oct 23, 2018 at 4:07 PM Rob Crittenden  > > wrote:
> >
> > Ralph Crongeyer via FreeIPA-users wrote:
> > > Can this be manually removed? W currently can't login to the web
> > portal
> > > due to this issue.
> >
> > I don't understand how one master is affecting the web server of
> > another. By design they are independent. Can you provide details on
> how
> > login is failing?
> >
> > rob
> >
> > >
> > > On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer
> >

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-24 Thread Rob Crittenden via FreeIPA-users

Ralph Crongeyer via FreeIPA-users wrote:
> So it does allow me to login, however there is a popup that says:
> "Some operations failed.", and a link "View details", when I click on
> that it shows:
> "invalid 'PKINIT enabled server': all masters must have IPA master role"  
> And there is a button that says "OK", when I click on that it shows this:

Ok. Start by running:

$ kinit admin
$ ipa domainlevel-get

If it is 1 you can try

$ ipa server-del --ignore-topology-disconnect --ignore-last-of-role
--force replica.server

rob

> 
> 
>   Runtime error
> 
> Web UI got in unrecoverable state during "runtime" phase.
> 
> 
>   Technical details:
> 
> y.server_config is undefined
> freeipa/ipa/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187
> start_runtime@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296
> register_phases/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476
> forEach@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752
> _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440
> next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
> _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
> next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
> _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
> next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
> _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
> c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
> d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
> dojo/promise/all/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255
> c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
> l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
> d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
> register_phases/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092
> on_success@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380
> freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826
> f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586
> dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192
> dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808
> emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712
> c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469
> l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877
> fireWith@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702
> k@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:5346
> t/<@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:9152
> 
> On Tue, Oct 23, 2018 at 4:07 PM Rob Crittenden  > wrote:
> 
> Ralph Crongeyer via FreeIPA-users wrote:
> > Can this be manually removed? W currently can't login to the web
> portal
> > due to this issue.
> 
> I don't understand how one master is affecting the web server of
> another. By design they are independent. Can you provide details on how
> login is failing?
> 
> rob
> 
> >
> > On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer
> mailto:rcronge...@gmail.com>
> > >> wrote:
> >
> >     The goal is to remove the replica server from the master. No split
> >     brain. I need to remove this as we can't login to the portal
> because
> >     of this.
> >
> >
> >     On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden
> mailto:rcrit...@redhat.com>
> >     >> wrote:
> >
> >         Ralph Crongeyer via FreeIPA-users wrote:
>

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-24 Thread Ralph Crongeyer via FreeIPA-users

So it does allow me to login, however there is a popup that says:
"Some operations failed.", and a link "View details", when I click on that
it shows:
"invalid 'PKINIT enabled server': all masters must have IPA master role"
And there is a button that says "OK", when I click on that it shows this:

Runtime error

Web UI got in unrecoverable state during "runtime" phase.
Technical details:
y.server_config is undefined
freeipa/ipa/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187
start_runtime@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296
register_phases/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476
forEach@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752
_run_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440
next_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
_run_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
next_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
_run_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
next_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
d/this.resolve@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
dojo/promise/all/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960
l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886
d/this.resolve@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
register_phases/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092
on_success@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380
freeipa/rpc/https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826
f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586
dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192
dojo/on/https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808
emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712
c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469
l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877
fireWith@
https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702
k@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:5346
t/<@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:9152

On Tue, Oct 23, 2018 at 4:07 PM Rob Crittenden  wrote:

> Ralph Crongeyer via FreeIPA-users wrote:
> > Can this be manually removed? W currently can't login to the web portal
> > due to this issue.
>
> I don't understand how one master is affecting the web server of
> another. By design they are independent. Can you provide details on how
> login is failing?
>
> rob
>
> >
> > On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer  > > wrote:
> >
> > The goal is to remove the replica server from the master. No split
> > brain. I need to remove this as we can't login to the portal because
> > of this.
> >
> >
> > On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden  > > wrote:
> >
> > Ralph Crongeyer via FreeIPA-users wrote:
> > > Hi List,
> > > I have a master server that had a replica installed. The
> > replica has
> > > been uninstalled. When I try to run "ipa-replica-manage del
> > --force
> > > replica.server" it fails with:
> > > invalid 'PKINIT enabled server': all masters must have IPA
> > master role
> > > enabled
> > >
> > > How can I delete this replica?
> >
> > What is your ultimate goal here? In your previous post it
> > sounded like
> > you are trying to create a split-brain. IPA doesn't

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-23 Thread Rob Crittenden via FreeIPA-users

Ralph Crongeyer via FreeIPA-users wrote:
> Can this be manually removed? W currently can't login to the web portal
> due to this issue.

I don't understand how one master is affecting the web server of
another. By design they are independent. Can you provide details on how
login is failing?

rob

> 
> On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer  > wrote:
> 
> The goal is to remove the replica server from the master. No split
> brain. I need to remove this as we can't login to the portal because
> of this.
> 
> 
> On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden  > wrote:
> 
> Ralph Crongeyer via FreeIPA-users wrote:
> > Hi List,
> > I have a master server that had a replica installed. The
> replica has
> > been uninstalled. When I try to run "ipa-replica-manage del
> --force
> > replica.server" it fails with:
> > invalid 'PKINIT enabled server': all masters must have IPA
> master role
> > enabled
> >
> > How can I delete this replica?
> 
> What is your ultimate goal here? In your previous post it
> sounded like
> you are trying to create a split-brain. IPA doesn't like those
> and does
> what it can to prevent them.
> 
> rob
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-23 Thread Mark Reynolds via FreeIPA-users



On 10/23/18 12:54 PM, Ralph Crongeyer via FreeIPA-users wrote:
Can this be manually removed? W currently can't login to the web 
portal due to this issue.


http://www.port389.org/docs/389ds/howto/howto-cleanruv.html#cleanallruv

Or you can run:   cleanallruv.pl -h

HTH,

Mark



On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer > wrote:


The goal is to remove the replica server from the master. No split
brain. I need to remove this as we can't login to the portal
because of this.


On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden
mailto:rcrit...@redhat.com>> wrote:

Ralph Crongeyer via FreeIPA-users wrote:
> Hi List,
> I have a master server that had a replica installed. The
replica has
> been uninstalled. When I try to run "ipa-replica-manage del
--force
> replica.server" it fails with:
> invalid 'PKINIT enabled server': all masters must have IPA
master role
> enabled
>
> How can I delete this replica?

What is your ultimate goal here? In your previous post it
sounded like
you are trying to create a split-brain. IPA doesn't like those
and does
what it can to prevent them.

rob


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-23 Thread Ralph Crongeyer via FreeIPA-users

Can this be manually removed? W currently can't login to the web portal due
to this issue.

On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer 
wrote:

> The goal is to remove the replica server from the master. No split brain.
> I need to remove this as we can't login to the portal because of this.
>
>
> On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden 
> wrote:
>
>> Ralph Crongeyer via FreeIPA-users wrote:
>> > Hi List,
>> > I have a master server that had a replica installed. The replica has
>> > been uninstalled. When I try to run "ipa-replica-manage del --force
>> > replica.server" it fails with:
>> > invalid 'PKINIT enabled server': all masters must have IPA master role
>> > enabled
>> >
>> > How can I delete this replica?
>>
>> What is your ultimate goal here? In your previous post it sounded like
>> you are trying to create a split-brain. IPA doesn't like those and does
>> what it can to prevent them.
>>
>> rob
>>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-19 Thread Ralph Crongeyer via FreeIPA-users

The goal is to remove the replica server from the master. No split brain. I
need to remove this as we can't login to the portal because of this.


On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden  wrote:

> Ralph Crongeyer via FreeIPA-users wrote:
> > Hi List,
> > I have a master server that had a replica installed. The replica has
> > been uninstalled. When I try to run "ipa-replica-manage del --force
> > replica.server" it fails with:
> > invalid 'PKINIT enabled server': all masters must have IPA master role
> > enabled
> >
> > How can I delete this replica?
>
> What is your ultimate goal here? In your previous post it sounded like
> you are trying to create a split-brain. IPA doesn't like those and does
> what it can to prevent them.
>
> rob
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

2018-10-18 Thread Rob Crittenden via FreeIPA-users

Ralph Crongeyer via FreeIPA-users wrote:
> Hi List,
> I have a master server that had a replica installed. The replica has
> been uninstalled. When I try to run "ipa-replica-manage del --force
> replica.server" it fails with:
> invalid 'PKINIT enabled server': all masters must have IPA master role
> enabled
> 
> How can I delete this replica?

What is your ultimate goal here? In your previous post it sounded like
you are trying to create a split-brain. IPA doesn't like those and does
what it can to prevent them.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

[Freeipa-users] Re: ipa-replica-manage --force replica.server fails

24 matches

Site Navigation

Mail list logo

Footer information