Re: [Freeipa-users] Replica master in strange state -- how to resolve?
On 12/16/2013 10:37 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica-manage del on the replica master, then ipa-server-install -U --uninstall on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error: : The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? Do you use IPA DNS? Yes What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net? It would appear that the replica uninstallation was a bit incomplete. The lack of replication may be part of, or the cause of, the problem. I guess I would start by double-checking that the remaining master doesn't have an RUV record for the old one: # ipa-replica-manage list-ruv This returns nothing, so I'm assuming that's good. If so you can use the clean-ruv command to clean things up. Be very careful what number you plug in there. This is one of those with great power comes great responsibility commands. As for the remaining master entries, you'll need to use ldapdelete to remove them. Something like this: # ldapdelete -x -D 'cn=directory manager' -W r cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com ^D # ldapdelete -x -D 'cn=directory manager' -W -r cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com ^D ldap_delete: Operations error (1) ldap_delete: Operation not allowed on non-leaf (66) # My syntax may be a bit off but you basically want to delete this entry and all its children. If you're nervous stick in the -n option and it will tell you what its going to do without deleting anything. Actually, the -n option just distracted me for 5 minutes -- it had me chasing syntax until I realized that it was just not doing anything and not reporting anything either. Dropping it led to the error above. Newer IPA has a new command in ipa-replica-manage to make this cleanup easier. Looking forward to upgrading, then. Replica management is a headache for us, but given the benefits IPA has brought, it's worth it. Thanks for all your help. Once those entries are gone you can delete the host entry and proceed on your way. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica master in strange state -- how to resolve?
Bret Wortman wrote: On 12/16/2013 10:37 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica-manage del on the replica master, then ipa-server-install -U --uninstall on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error: : The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? Do you use IPA DNS? Yes What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net? It would appear that the replica uninstallation was a bit incomplete. The lack of replication may be part of, or the cause of, the problem. I guess I would start by double-checking that the remaining master doesn't have an RUV record for the old one: # ipa-replica-manage list-ruv This returns nothing, so I'm assuming that's good. If so you can use the clean-ruv command to clean things up. Be very careful what number you plug in there. This is one of those with great power comes great responsibility commands. As for the remaining master entries, you'll need to use ldapdelete to remove them. Something like this: # ldapdelete -x -D 'cn=directory manager' -W r cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com ^D # ldapdelete -x -D 'cn=directory manager' -W -r cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com ^D ldap_delete: Operations error (1) ldap_delete: Operation not allowed on non-leaf (66) # Strange. The -r is for recursion and should delete all the children too. Oh well. Instead try this: ldapsearch -LLL -x -D 'cn=Directory manager' -W -b cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com dn Those are all the dns to pass to ldapdelete. Delete the leaf nodes (the service entries) first, then the fsipa value. My syntax may be a bit off but you basically want to delete this entry and all its children. If you're nervous stick in the -n option and it will tell you what its going to do without deleting anything. Actually, the -n option just distracted me for 5 minutes -- it had me chasing syntax until I realized that it was just not doing anything and not reporting anything either. Dropping it led to the error above. Right, -n is to show what would be done without actually doing anything. It is handy with a command like this, especially when using recursion. cheers rob Newer IPA has a new command in ipa-replica-manage to make this cleanup easier. Looking forward to upgrading, then. Replica management is a headache for us, but given the benefits IPA has brought, it's worth it. Thanks for all your help. Once those entries are gone you can delete the host entry and proceed on your way. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica master in strange state -- how to resolve?
On 12/17/2013 09:15 AM, Rob Crittenden wrote: Bret Wortman wrote: On 12/16/2013 10:37 PM, Rob Crittenden wrote: Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica-manage del on the replica master, then ipa-server-install -U --uninstall on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error: : The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? Do you use IPA DNS? Yes What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net? It would appear that the replica uninstallation was a bit incomplete. The lack of replication may be part of, or the cause of, the problem. I guess I would start by double-checking that the remaining master doesn't have an RUV record for the old one: # ipa-replica-manage list-ruv This returns nothing, so I'm assuming that's good. If so you can use the clean-ruv command to clean things up. Be very careful what number you plug in there. This is one of those with great power comes great responsibility commands. As for the remaining master entries, you'll need to use ldapdelete to remove them. Something like this: # ldapdelete -x -D 'cn=directory manager' -W r cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com ^D # ldapdelete -x -D 'cn=directory manager' -W -r cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com ^D ldap_delete: Operations error (1) ldap_delete: Operation not allowed on non-leaf (66) # Strange. The -r is for recursion and should delete all the children too. Oh well. Instead try this: ldapsearch -LLL -x -D 'cn=Directory manager' -W -b cn=fsipa.damascusgrp.com,cn=masters,cn=ipa,cn=etc,dc=damascusgrp,dc=com dn Those are all the dns to pass to ldapdelete. Delete the leaf nodes (the service entries) first, then the fsipa value. Worked like a champ. Thanks. My syntax may be a bit off but you basically want to delete this entry and all its children. If you're nervous stick in the -n option and it will tell you what its going to do without deleting anything. Actually, the -n option just distracted me for 5 minutes -- it had me chasing syntax until I realized that it was just not doing anything and not reporting anything either. Dropping it led to the error above. Right, -n is to show what would be done without actually doing anything. It is handy with a command like this, especially when using recursion. Sorry, I wasn't clear -- when I used -n, it just returned immediately. Didn't show it doing anything, probably because of the error above, but it didn't report that error either; just swallowed it. cheers rob Newer IPA has a new command in ipa-replica-manage to make this cleanup easier. Looking forward to upgrading, then. Replica management is a headache for us, but given the benefits IPA has brought, it's worth it. Thanks for all your help. Once those entries are gone you can delete the host entry and proceed on your way. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replica master in strange state -- how to resolve?
Dmitri Pal wrote: On 12/16/2013 10:40 AM, Bret Wortman wrote: I had a replica that was completely failing to respond to its clients, so I removed it by first running ipa-replica-manage del on the replica master, then ipa-server-install -U --uninstall on the replica. I regenereated the replica file and, upon trying to re-initialize the replica, received this error: : The host fsipa.spx.net already exists on the master server. You should remove it before proceeding: % ipa host-del fsipa.damascusgrp.com [root@fsipa ~]# On the master: [root@ipamaster ~]# ipa host-del fsipa.damascusgrp.com ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@ipamaster ~]# ipa host-show fsipa.damascusgrp.com Host name: fsipa.damascusgrp.com Principal name: host/fsipa.damascusgrp@damascusgrp.com Password: False Keytab: True Managed by: fsipa.damascusgrp.com SSH public key fingerprint: ... : [root@ipamaster ~]# ipa-replica-manage del fsipa.damascusgrp.com 'ipamaster.damascusgrp.com' has no replication agreement for 'fsipa.damascusgrp.com' [root@ipamaster ~]# What's the right way to clean this up without making the situation worse? Do you use IPA DNS? What does DNS say about fsipa.damascusgrp.com and fsipa.spx.net? It would appear that the replica uninstallation was a bit incomplete. The lack of replication may be part of, or the cause of, the problem. I guess I would start by double-checking that the remaining master doesn't have an RUV record for the old one: # ipa-replica-manage list-ruv If so you can use the clean-ruv command to clean things up. Be very careful what number you plug in there. This is one of those with great power comes great responsibility commands. As for the remaining master entries, you'll need to use ldapdelete to remove them. Something like this: # ldapdelete -x -D 'cn=directory manager' -W r cn=replica-to-delete.example.com,cn=masters,cn=ipa,cn=etc,dc=greyoak,dc=com ^D My syntax may be a bit off but you basically want to delete this entry and all its children. If you're nervous stick in the -n option and it will tell you what its going to do without deleting anything. Newer IPA has a new command in ipa-replica-manage to make this cleanup easier. Once those entries are gone you can delete the host entry and proceed on your way. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
