Re: [Freeipa-users] Cleaning Up an Unholy Mess
On 08/29/2016 12:48 PM, Ian Harding wrote: > > On 08/25/2016 03:10 PM, Mark Reynolds wrote: >> >> On 08/25/2016 02:04 PM, Ian Harding wrote: >>> On 08/25/2016 10:41 AM, Rob Crittenden wrote: Ian Harding wrote: > On 08/24/2016 06:33 PM, Rob Crittenden wrote: >> Ian Harding wrote: >>> I tried to simply uninstall and reinstall freeipa-dal and this >>> happened. >>> >>> It only had a replication agreement with freeipa-sea >>> >>> [root@freeipa-dal ianh]# ipa-server-install --uninstall >>> >>> This is a NON REVERSIBLE operation and will delete all data and >>> configuration! >>> >>> Are you sure you want to continue with the uninstall procedure? >>> [no]: yes >>> Shutting down all IPA services >>> Removing IPA client configuration >>> Unconfiguring ntpd >>> Configuring certmonger to stop tracking system certificates for KRA >>> Configuring certmonger to stop tracking system certificates for CA >>> Unconfiguring CA >>> Unconfiguring named >>> Unconfiguring ipa-dnskeysyncd >>> Unconfiguring web server >>> Unconfiguring krb5kdc >>> Unconfiguring kadmin >>> Unconfiguring directory server >>> Unconfiguring ipa_memcached >>> Unconfiguring ipa-otpd >>> [root@freeipa-dal ianh]# ipa-server-install --uninstall >>> >>> This is a NON REVERSIBLE operation and will delete all data and >>> configuration! >>> >>> Are you sure you want to continue with the uninstall procedure? >>> [no]: yes >>> >>> WARNING: Failed to connect to Directory Server to find information >>> about >>> replication agreements. Uninstallation will continue despite the >>> possible >>> existing replication agreements. >>> Shutting down all IPA services >>> Removing IPA client configuration >>> Configuring certmonger to stop tracking system certificates for KRA >>> Configuring certmonger to stop tracking system certificates for CA >>> [root@freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns >>> --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg >>> Directory Manager (existing master) password: >>> >>> The host freeipa-dal.bpt.rocks already exists on the master server. >>> You should remove it before proceeding: >>> % ipa host-del freeipa-dal.bpt.rocks >>> [root@freeipa-dal ianh]# >>> >>> So I tried to delete it again with --force >>> >>> [root@freeipa-sea ianh]# ipa-replica-manage --force del >>> freeipa-dal.bpt.rocks >>> Directory Manager password: >>> >>> 'freeipa-sea.bpt.rocks' has no replication agreement for >>> 'freeipa-dal.bpt.rocks' >>> [root@freeipa-sea ianh]# >>> >>> Can't delete it from the master server either >>> >>> [root@seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks >>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or >>> disabled >>> >>> >>> Now what? I'm running out of things that work. >> Not sure what version of IPA you have but try: >> >> # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks >> >> If this had a CA on it then you'll want to ensure that any replication >> agreements it had have been removed as well. >> >> rob >> > It turns out I'm not smart enough to untangle this mess. > > Is there any way to kind of start over? I managed to delete and > recreate a couple replicas but the problems (obsolete ruv as far as I > can tell) carry on with the new replicas. They won't even replicate > back to the master they were created from. Once you have the right version of 389-ds then then cleanruv tasks work a lot better. What version are you running now? >>> 1.3.4.0. >> Ian, >> >> Can you the exact version please? rpm -qa | grep 389-ds-base >> >> Thanks, >> Mark > Sorry about the delay.. > > [root@freeipa-sea ianh]# rpm -qa | grep 389-ds-base > 389-ds-base-libs-1.3.4.0-33.el7_2.x86_64 > 389-ds-base-1.3.4.0-33.el7_2.x86_64 Now I'm not sure what is going on. You are on the latest version of 389-ds-base, and it has the cleanAllRUV fix I was talking about. Perhaps the message "Waiting to process all the updates from the deleted replica..." returned by "ipa-replica-manage list-clean-ruv" is not accurate/current. If there are cleanAllRUV tasks running(and not finishing) there will be evidence in the Directory Server's errors log. If there are tasks running the errors log will tell us exactly what is going on (the logging is very good). So if the "clean" task is not working start tailing the DS errors log(/var/log/dirsrv/slapd-INSTANCE/errors), check for logging that is prefixed with "CleanAllRUV Task", and you should see what's really going on. Please post this logging if you find anything. Mark > > >>> It's handcuffed to my CentOS 7 so I don't want to update it >>> outside the CentOS
Re: [Freeipa-users] Cleaning Up an Unholy Mess
On 08/25/2016 03:10 PM, Mark Reynolds wrote: > > > On 08/25/2016 02:04 PM, Ian Harding wrote: >> >> On 08/25/2016 10:41 AM, Rob Crittenden wrote: >>> Ian Harding wrote: On 08/24/2016 06:33 PM, Rob Crittenden wrote: > Ian Harding wrote: >> I tried to simply uninstall and reinstall freeipa-dal and this >> happened. >> >> It only had a replication agreement with freeipa-sea >> >> [root@freeipa-dal ianh]# ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? >> [no]: yes >> Shutting down all IPA services >> Removing IPA client configuration >> Unconfiguring ntpd >> Configuring certmonger to stop tracking system certificates for KRA >> Configuring certmonger to stop tracking system certificates for CA >> Unconfiguring CA >> Unconfiguring named >> Unconfiguring ipa-dnskeysyncd >> Unconfiguring web server >> Unconfiguring krb5kdc >> Unconfiguring kadmin >> Unconfiguring directory server >> Unconfiguring ipa_memcached >> Unconfiguring ipa-otpd >> [root@freeipa-dal ianh]# ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? >> [no]: yes >> >> WARNING: Failed to connect to Directory Server to find information >> about >> replication agreements. Uninstallation will continue despite the >> possible >> existing replication agreements. >> Shutting down all IPA services >> Removing IPA client configuration >> Configuring certmonger to stop tracking system certificates for KRA >> Configuring certmonger to stop tracking system certificates for CA >> [root@freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns >> --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg >> Directory Manager (existing master) password: >> >> The host freeipa-dal.bpt.rocks already exists on the master server. >> You should remove it before proceeding: >> % ipa host-del freeipa-dal.bpt.rocks >> [root@freeipa-dal ianh]# >> >> So I tried to delete it again with --force >> >> [root@freeipa-sea ianh]# ipa-replica-manage --force del >> freeipa-dal.bpt.rocks >> Directory Manager password: >> >> 'freeipa-sea.bpt.rocks' has no replication agreement for >> 'freeipa-dal.bpt.rocks' >> [root@freeipa-sea ianh]# >> >> Can't delete it from the master server either >> >> [root@seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks >> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or >> disabled >> >> >> Now what? I'm running out of things that work. > Not sure what version of IPA you have but try: > > # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks > > If this had a CA on it then you'll want to ensure that any replication > agreements it had have been removed as well. > > rob > It turns out I'm not smart enough to untangle this mess. Is there any way to kind of start over? I managed to delete and recreate a couple replicas but the problems (obsolete ruv as far as I can tell) carry on with the new replicas. They won't even replicate back to the master they were created from. >>> Once you have the right version of 389-ds then then cleanruv tasks work >>> a lot better. What version are you running now? >> 1.3.4.0. > Ian, > > Can you the exact version please? rpm -qa | grep 389-ds-base > > Thanks, > Mark Sorry about the delay.. [root@freeipa-sea ianh]# rpm -qa | grep 389-ds-base 389-ds-base-libs-1.3.4.0-33.el7_2.x86_64 389-ds-base-1.3.4.0-33.el7_2.x86_64 >> It's handcuffed to my CentOS 7 so I don't want to update it >> outside the CentOS ecosystem. What's the downside of upgrading it from >> source or an RPM for a different flavor of RedHat derived Linux? >> >> I'm a one-man band but I'd be interested in hearing a pitch from someone >> who is super smart on this stuff for a working consulting gig and maybe >> ongoing support. Who would I talk to at RedHat about coming in from the >> cold for full on corporate support? >> >> Thanks! >> Basically, is there a way to do a fresh install of FreeIPA server, and do a dump/restore of data from my existing messed up install? >>> Not really, no. You can migrate IPA to IPA but only users and groups and >>> you lose private groups for existing users (they become regular POSIX >>> groups). >>> >>> rob >>> > -- Ian Harding IT Director Brown Paper Tickets 1-800-838-3006 ext 7186 http://www.brownpapertickets.com -- Manage your subscription for the Freeipa-users mailing list:
Re: [Freeipa-users] Cleaning Up an Unholy Mess
On 08/25/2016 08:04 PM, Ian Harding wrote: > > > On 08/25/2016 10:41 AM, Rob Crittenden wrote: >> Ian Harding wrote: >>> >>> >>> On 08/24/2016 06:33 PM, Rob Crittenden wrote: Ian Harding wrote: > I tried to simply uninstall and reinstall freeipa-dal and this > happened. > > It only had a replication agreement with freeipa-sea > > [root@freeipa-dal ianh]# ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? > [no]: yes > Shutting down all IPA services > Removing IPA client configuration > Unconfiguring ntpd > Configuring certmonger to stop tracking system certificates for KRA > Configuring certmonger to stop tracking system certificates for CA > Unconfiguring CA > Unconfiguring named > Unconfiguring ipa-dnskeysyncd > Unconfiguring web server > Unconfiguring krb5kdc > Unconfiguring kadmin > Unconfiguring directory server > Unconfiguring ipa_memcached > Unconfiguring ipa-otpd > [root@freeipa-dal ianh]# ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? > [no]: yes > > WARNING: Failed to connect to Directory Server to find information > about > replication agreements. Uninstallation will continue despite the > possible > existing replication agreements. > Shutting down all IPA services > Removing IPA client configuration > Configuring certmonger to stop tracking system certificates for KRA > Configuring certmonger to stop tracking system certificates for CA > [root@freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns > --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg > Directory Manager (existing master) password: > > The host freeipa-dal.bpt.rocks already exists on the master server. > You should remove it before proceeding: > % ipa host-del freeipa-dal.bpt.rocks > [root@freeipa-dal ianh]# > > So I tried to delete it again with --force > > [root@freeipa-sea ianh]# ipa-replica-manage --force del > freeipa-dal.bpt.rocks > Directory Manager password: > > 'freeipa-sea.bpt.rocks' has no replication agreement for > 'freeipa-dal.bpt.rocks' > [root@freeipa-sea ianh]# > > Can't delete it from the master server either > > [root@seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks > ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or > disabled > > > Now what? I'm running out of things that work. Not sure what version of IPA you have but try: # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks If this had a CA on it then you'll want to ensure that any replication agreements it had have been removed as well. rob >>> >>> It turns out I'm not smart enough to untangle this mess. >>> >>> Is there any way to kind of start over? I managed to delete and >>> recreate a couple replicas but the problems (obsolete ruv as far as I >>> can tell) carry on with the new replicas. They won't even replicate >>> back to the master they were created from. >> >> Once you have the right version of 389-ds then then cleanruv tasks work >> a lot better. What version are you running now? > > 1.3.4.0. It's handcuffed to my CentOS 7 so I don't want to update it > outside the CentOS ecosystem. What's the downside of upgrading it from > source or an RPM for a different flavor of RedHat derived Linux? > > I'm a one-man band but I'd be interested in hearing a pitch from someone > who is super smart on this stuff for a working consulting gig and maybe > ongoing support. Who would I talk to at RedHat about coming in from the > cold for full on corporate support? This sounds like you want to call https://www.redhat.com/en/about/contact/sales# :-) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cleaning Up an Unholy Mess
On 08/25/2016 02:04 PM, Ian Harding wrote: > > On 08/25/2016 10:41 AM, Rob Crittenden wrote: >> Ian Harding wrote: >>> >>> On 08/24/2016 06:33 PM, Rob Crittenden wrote: Ian Harding wrote: > I tried to simply uninstall and reinstall freeipa-dal and this > happened. > > It only had a replication agreement with freeipa-sea > > [root@freeipa-dal ianh]# ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? > [no]: yes > Shutting down all IPA services > Removing IPA client configuration > Unconfiguring ntpd > Configuring certmonger to stop tracking system certificates for KRA > Configuring certmonger to stop tracking system certificates for CA > Unconfiguring CA > Unconfiguring named > Unconfiguring ipa-dnskeysyncd > Unconfiguring web server > Unconfiguring krb5kdc > Unconfiguring kadmin > Unconfiguring directory server > Unconfiguring ipa_memcached > Unconfiguring ipa-otpd > [root@freeipa-dal ianh]# ipa-server-install --uninstall > > This is a NON REVERSIBLE operation and will delete all data and > configuration! > > Are you sure you want to continue with the uninstall procedure? > [no]: yes > > WARNING: Failed to connect to Directory Server to find information > about > replication agreements. Uninstallation will continue despite the > possible > existing replication agreements. > Shutting down all IPA services > Removing IPA client configuration > Configuring certmonger to stop tracking system certificates for KRA > Configuring certmonger to stop tracking system certificates for CA > [root@freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns > --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg > Directory Manager (existing master) password: > > The host freeipa-dal.bpt.rocks already exists on the master server. > You should remove it before proceeding: > % ipa host-del freeipa-dal.bpt.rocks > [root@freeipa-dal ianh]# > > So I tried to delete it again with --force > > [root@freeipa-sea ianh]# ipa-replica-manage --force del > freeipa-dal.bpt.rocks > Directory Manager password: > > 'freeipa-sea.bpt.rocks' has no replication agreement for > 'freeipa-dal.bpt.rocks' > [root@freeipa-sea ianh]# > > Can't delete it from the master server either > > [root@seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks > ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or > disabled > > > Now what? I'm running out of things that work. Not sure what version of IPA you have but try: # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks If this had a CA on it then you'll want to ensure that any replication agreements it had have been removed as well. rob >>> It turns out I'm not smart enough to untangle this mess. >>> >>> Is there any way to kind of start over? I managed to delete and >>> recreate a couple replicas but the problems (obsolete ruv as far as I >>> can tell) carry on with the new replicas. They won't even replicate >>> back to the master they were created from. >> Once you have the right version of 389-ds then then cleanruv tasks work >> a lot better. What version are you running now? > 1.3.4.0. Ian, Can you the exact version please? rpm -qa | grep 389-ds-base Thanks, Mark > It's handcuffed to my CentOS 7 so I don't want to update it > outside the CentOS ecosystem. What's the downside of upgrading it from > source or an RPM for a different flavor of RedHat derived Linux? > > I'm a one-man band but I'd be interested in hearing a pitch from someone > who is super smart on this stuff for a working consulting gig and maybe > ongoing support. Who would I talk to at RedHat about coming in from the > cold for full on corporate support? > > Thanks! > >>> Basically, is there a way to do a fresh install of FreeIPA server, and >>> do a dump/restore of data from my existing messed up install? >> Not really, no. You can migrate IPA to IPA but only users and groups and >> you lose private groups for existing users (they become regular POSIX >> groups). >> >> rob >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cleaning Up an Unholy Mess
On 08/25/2016 10:41 AM, Rob Crittenden wrote: > Ian Harding wrote: >> >> >> On 08/24/2016 06:33 PM, Rob Crittenden wrote: >>> Ian Harding wrote: I tried to simply uninstall and reinstall freeipa-dal and this happened. It only had a replication agreement with freeipa-sea [root@freeipa-dal ianh]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa_memcached Unconfiguring ipa-otpd [root@freeipa-dal ianh]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes WARNING: Failed to connect to Directory Server to find information about replication agreements. Uninstallation will continue despite the possible existing replication agreements. Shutting down all IPA services Removing IPA client configuration Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA [root@freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg Directory Manager (existing master) password: The host freeipa-dal.bpt.rocks already exists on the master server. You should remove it before proceeding: % ipa host-del freeipa-dal.bpt.rocks [root@freeipa-dal ianh]# So I tried to delete it again with --force [root@freeipa-sea ianh]# ipa-replica-manage --force del freeipa-dal.bpt.rocks Directory Manager password: 'freeipa-sea.bpt.rocks' has no replication agreement for 'freeipa-dal.bpt.rocks' [root@freeipa-sea ianh]# Can't delete it from the master server either [root@seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled Now what? I'm running out of things that work. >>> >>> Not sure what version of IPA you have but try: >>> >>> # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks >>> >>> If this had a CA on it then you'll want to ensure that any replication >>> agreements it had have been removed as well. >>> >>> rob >>> >> >> It turns out I'm not smart enough to untangle this mess. >> >> Is there any way to kind of start over? I managed to delete and >> recreate a couple replicas but the problems (obsolete ruv as far as I >> can tell) carry on with the new replicas. They won't even replicate >> back to the master they were created from. > > Once you have the right version of 389-ds then then cleanruv tasks work > a lot better. What version are you running now? 1.3.4.0. It's handcuffed to my CentOS 7 so I don't want to update it outside the CentOS ecosystem. What's the downside of upgrading it from source or an RPM for a different flavor of RedHat derived Linux? I'm a one-man band but I'd be interested in hearing a pitch from someone who is super smart on this stuff for a working consulting gig and maybe ongoing support. Who would I talk to at RedHat about coming in from the cold for full on corporate support? Thanks! > >> Basically, is there a way to do a fresh install of FreeIPA server, and >> do a dump/restore of data from my existing messed up install? > > Not really, no. You can migrate IPA to IPA but only users and groups and > you lose private groups for existing users (they become regular POSIX > groups). > > rob > -- Ian Harding IT Director Brown Paper Tickets 1-800-838-3006 ext 7186 http://www.brownpapertickets.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cleaning Up an Unholy Mess
Ian Harding wrote: On 08/24/2016 06:33 PM, Rob Crittenden wrote: Ian Harding wrote: I tried to simply uninstall and reinstall freeipa-dal and this happened. It only had a replication agreement with freeipa-sea [root@freeipa-dal ianh]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa_memcached Unconfiguring ipa-otpd [root@freeipa-dal ianh]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes WARNING: Failed to connect to Directory Server to find information about replication agreements. Uninstallation will continue despite the possible existing replication agreements. Shutting down all IPA services Removing IPA client configuration Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA [root@freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg Directory Manager (existing master) password: The host freeipa-dal.bpt.rocks already exists on the master server. You should remove it before proceeding: % ipa host-del freeipa-dal.bpt.rocks [root@freeipa-dal ianh]# So I tried to delete it again with --force [root@freeipa-sea ianh]# ipa-replica-manage --force del freeipa-dal.bpt.rocks Directory Manager password: 'freeipa-sea.bpt.rocks' has no replication agreement for 'freeipa-dal.bpt.rocks' [root@freeipa-sea ianh]# Can't delete it from the master server either [root@seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled Now what? I'm running out of things that work. Not sure what version of IPA you have but try: # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks If this had a CA on it then you'll want to ensure that any replication agreements it had have been removed as well. rob It turns out I'm not smart enough to untangle this mess. Is there any way to kind of start over? I managed to delete and recreate a couple replicas but the problems (obsolete ruv as far as I can tell) carry on with the new replicas. They won't even replicate back to the master they were created from. Once you have the right version of 389-ds then then cleanruv tasks work a lot better. What version are you running now? Basically, is there a way to do a fresh install of FreeIPA server, and do a dump/restore of data from my existing messed up install? Not really, no. You can migrate IPA to IPA but only users and groups and you lose private groups for existing users (they become regular POSIX groups). rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cleaning Up an Unholy Mess
On 08/24/2016 06:33 PM, Rob Crittenden wrote: > Ian Harding wrote: >> I tried to simply uninstall and reinstall freeipa-dal and this happened. >> >> It only had a replication agreement with freeipa-sea >> >> [root@freeipa-dal ianh]# ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? [no]: yes >> Shutting down all IPA services >> Removing IPA client configuration >> Unconfiguring ntpd >> Configuring certmonger to stop tracking system certificates for KRA >> Configuring certmonger to stop tracking system certificates for CA >> Unconfiguring CA >> Unconfiguring named >> Unconfiguring ipa-dnskeysyncd >> Unconfiguring web server >> Unconfiguring krb5kdc >> Unconfiguring kadmin >> Unconfiguring directory server >> Unconfiguring ipa_memcached >> Unconfiguring ipa-otpd >> [root@freeipa-dal ianh]# ipa-server-install --uninstall >> >> This is a NON REVERSIBLE operation and will delete all data and >> configuration! >> >> Are you sure you want to continue with the uninstall procedure? [no]: yes >> >> WARNING: Failed to connect to Directory Server to find information about >> replication agreements. Uninstallation will continue despite the possible >> existing replication agreements. >> Shutting down all IPA services >> Removing IPA client configuration >> Configuring certmonger to stop tracking system certificates for KRA >> Configuring certmonger to stop tracking system certificates for CA >> [root@freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns >> --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg >> Directory Manager (existing master) password: >> >> The host freeipa-dal.bpt.rocks already exists on the master server. >> You should remove it before proceeding: >> % ipa host-del freeipa-dal.bpt.rocks >> [root@freeipa-dal ianh]# >> >> So I tried to delete it again with --force >> >> [root@freeipa-sea ianh]# ipa-replica-manage --force del >> freeipa-dal.bpt.rocks >> Directory Manager password: >> >> 'freeipa-sea.bpt.rocks' has no replication agreement for >> 'freeipa-dal.bpt.rocks' >> [root@freeipa-sea ianh]# >> >> Can't delete it from the master server either >> >> [root@seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks >> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or >> disabled >> >> >> Now what? I'm running out of things that work. > > Not sure what version of IPA you have but try: > > # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks > > If this had a CA on it then you'll want to ensure that any replication > agreements it had have been removed as well. > > rob > It turns out I'm not smart enough to untangle this mess. Is there any way to kind of start over? I managed to delete and recreate a couple replicas but the problems (obsolete ruv as far as I can tell) carry on with the new replicas. They won't even replicate back to the master they were created from. Basically, is there a way to do a fresh install of FreeIPA server, and do a dump/restore of data from my existing messed up install? Thanks! -- Ian Harding IT Director Brown Paper Tickets 1-800-838-3006 ext 7186 http://www.brownpapertickets.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Cleaning Up an Unholy Mess
Ian Harding wrote: I tried to simply uninstall and reinstall freeipa-dal and this happened. It only had a replication agreement with freeipa-sea [root@freeipa-dal ianh]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa_memcached Unconfiguring ipa-otpd [root@freeipa-dal ianh]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes WARNING: Failed to connect to Directory Server to find information about replication agreements. Uninstallation will continue despite the possible existing replication agreements. Shutting down all IPA services Removing IPA client configuration Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA [root@freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg Directory Manager (existing master) password: The host freeipa-dal.bpt.rocks already exists on the master server. You should remove it before proceeding: % ipa host-del freeipa-dal.bpt.rocks [root@freeipa-dal ianh]# So I tried to delete it again with --force [root@freeipa-sea ianh]# ipa-replica-manage --force del freeipa-dal.bpt.rocks Directory Manager password: 'freeipa-sea.bpt.rocks' has no replication agreement for 'freeipa-dal.bpt.rocks' [root@freeipa-sea ianh]# Can't delete it from the master server either [root@seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled Now what? I'm running out of things that work. Not sure what version of IPA you have but try: # ipa-replica-manage --force --cleanup delete freeipa-dal.bpt.rocks If this had a CA on it then you'll want to ensure that any replication agreements it had have been removed as well. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Cleaning Up an Unholy Mess
I tried to simply uninstall and reinstall freeipa-dal and this happened. It only had a replication agreement with freeipa-sea [root@freeipa-dal ianh]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring CA Unconfiguring named Unconfiguring ipa-dnskeysyncd Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa_memcached Unconfiguring ipa-otpd [root@freeipa-dal ianh]# ipa-server-install --uninstall This is a NON REVERSIBLE operation and will delete all data and configuration! Are you sure you want to continue with the uninstall procedure? [no]: yes WARNING: Failed to connect to Directory Server to find information about replication agreements. Uninstallation will continue despite the possible existing replication agreements. Shutting down all IPA services Removing IPA client configuration Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA [root@freeipa-dal ianh]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-freeipa-dal.bpt.rocks.gpg Directory Manager (existing master) password: The host freeipa-dal.bpt.rocks already exists on the master server. You should remove it before proceeding: % ipa host-del freeipa-dal.bpt.rocks [root@freeipa-dal ianh]# So I tried to delete it again with --force [root@freeipa-sea ianh]# ipa-replica-manage --force del freeipa-dal.bpt.rocks Directory Manager password: 'freeipa-sea.bpt.rocks' has no replication agreement for 'freeipa-dal.bpt.rocks' [root@freeipa-sea ianh]# Can't delete it from the master server either [root@seattlenfs ianh]# ipa host-del freeipa-dal.bpt.rocks ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled Now what? I'm running out of things that work. -- Ian Harding IT Director Brown Paper Tickets 1-800-838-3006 ext 7186 http://www.brownpapertickets.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project