Hi,
so finally I managed to fix the issue.
The user used was ‘admin’ the ticket was a fresh one obtained immediately
before the command.
After digging through many mails on this list I was pretty sure it had
something todo with ACIs and them maybe not being readded after an upgrade.
What I did to fix the issue was the following:
I used a slightly modified version of
https://github.com/freeipa/freeipa/blob/master/install/share/replica-acis.ldif
(changing the add to a replace) and loaded it onto the master.
Afterwards I was able to delete the replica and add a new one.
Altough when running a “list-ruv” I stell get some error messages (but also
output of actual RUVs)
-snip-
ipa-replica-manage list-ruv
Directory Manager password:
unable to decode: {replica 7} 58456abc00040007 58456abc00040007
unable to decode: {replica 9} 578864f600010009 578864f600010009
Replica Update Vectors:
-snap-
So this is a different issue, but I would be glad If I somehow could remove
these orphaned RUVs.
Am 23.06.17, 15:36 schrieb "Rob Crittenden" :
Sieferlinger, Andreas via FreeIPA-users wrote:
> Hi all,
>
>
>
> after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7) I have some
> trouble in changing replication agreements.
>
>
>
> #ipa-replica-manage del auth4.example.com
>
> 'auth9.example.com' has no replication agreement for 'auth4.example.com'
>
> # ipa-replica-manage del auth4.example.com --force --clean
>
> Cleaning a master is irreversible.
>
> This should not normally be require, so use cautiously.
>
> Continue to clean master? [no]: yes
>
> Re-run /sbin/ipa-replica-manage with --verbose option to get more
> information
>
> Unexpected error: Insufficient access: Insufficient 'delete' privilege
> to delete the entry
>
'krbprincipalname=ldap/auth4.example@example.com,cn=services,cn=accounts,dc=example,dc=com'.
>
>
>
> I suspect some missing ACLs that probably got lost during an update,
> although I do not know which and how to read.
What credentials do you currently have? klist will show you.
If you are admin, or a member of the admins group, then the output of
this will show what rights the user has:
$ ipa user-show --all --raw |grep memberof
rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org