Re: [Freeipa-users] Badly corrupted IPA

2014-03-27 Thread Bret Wortman

  
  
BTW, this also fails when using the web UI -- I can see the entry
but not delete it.

On 03/27/2014 09:02 AM, Bret Wortman
  wrote:


  
  My IPA corruption continues and I'm afraid I'm going to have to
  recreate it from scratch since no reasonable means of backup
  exists (which I understand -- that's not my complaint).
  
  Here's what I'm facing:
  
  # script -c 'ipa host-find mw79.damascusgrp.com'
  Script started, file is typescript
  --
  1 host matched
  --
 Host name: mw79.damascusgrp.com
 Principal name: host/mw79.damascusgrp@damascusgrp.com
 Password: False
 Member of host-groups: allow_all_hosts
 Indirect Member of HBAC rule: allow_all_users_services
 Keytab: False
 SSH public key fingerprint: [snip] (ssh-dss)


Number of entries returned 1
  
Script done, file is typescript
# script -c 'ipa host-del mw79.damascusgrp.com'
Script started, file is typescript
ipa: ERROR: mw79.damascusgrp.com: host not found
Script done, file is typescript
#

  I had unenrolled this host and was attempting to re-enroll
  it, and this is preventing its re-enrollment. Any ideas of how to
  force deletion of this host entry? I'm not LDAP savvy enough to
  just go in and start whacking LDAP entries myself, and given that
  my IPA database has gotten corrupted enough that no IPA CLI
  command can run without being wrapped in "script" or "strace" or
  similar, I'm hesitant to go too far. This machine, however, is my
  program manager's workstation, so it's pretty important to get
  back up and running.
  
  Thanks,
  
  
  -- 
Bret Wortman


http://damascusgrp.com/

http://about.me/wortmanbret
  

  
  
  
  
  ___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


  



smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Badly corrupted IPA

2014-03-27 Thread Rob Crittenden

Bret Wortman wrote:

BTW, this also fails when using the web UI -- I can see the entry but
not delete it.


It sounds like you have a replication conflict entry. Try this search:

$ ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=example,dc=com 
fdqdn=myhost.example.com


You'll probably get something with a dn that includes a nsuniqueid in 
it. That is the conflict entry. IPA can find the host because it 
searches by fqdn too, but it deletes by generating the direct DN and 
since it doesn't match, no delete.


You can delete the wayward entry using ldapdelete.

rob



On 03/27/2014 09:02 AM, Bret Wortman wrote:

My IPA corruption continues and I'm afraid I'm going to have to
recreate it from scratch since no reasonable means of backup exists
(which I understand -- that's not my complaint).

Here's what I'm facing:

# script -c 'ipa host-find mw79.damascusgrp.com'
Script started, file is typescript
--
1 host matched
--
  Host name: mw79.damascusgrp.com
  Principal name: host/mw79.damascusgrp@damascusgrp.com
  Password: False
  Member of host-groups: allow_all_hosts
  Indirect Member of HBAC rule: allow_all_users_services
  Keytab: False
  SSH public key fingerprint: [snip] (ssh-dss)


Number of entries returned 1

Script done, file is typescript
# script -c 'ipa host-del mw79.damascusgrp.com'
Script started, file is typescript
ipa: ERROR: mw79.damascusgrp.com: host not found
Script done, file is typescript
#

I had unenrolled this host and was attempting to re-enroll it, and
this is preventing its re-enrollment. Any ideas of how to force
deletion of this host entry? I'm not LDAP savvy enough to just go in
and start whacking LDAP entries myself, and given that my IPA database
has gotten corrupted enough that no IPA CLI command can run without
being wrapped in script or strace or similar, I'm hesitant to go
too far. This machine, however, is my program manager's workstation,
so it's pretty important to get back up and running.

Thanks,


--
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Badly corrupted IPA

2014-03-27 Thread Bret Wortman

That worked like a champ. As always.

Thanks, Rob.


Bret

On 03/27/2014 10:08 AM, Rob Crittenden wrote:

Bret Wortman wrote:

BTW, this also fails when using the web UI -- I can see the entry but
not delete it.


It sounds like you have a replication conflict entry. Try this search:

$ ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=example,dc=com 
fdqdn=myhost.example.com


You'll probably get something with a dn that includes a nsuniqueid in 
it. That is the conflict entry. IPA can find the host because it 
searches by fqdn too, but it deletes by generating the direct DN and 
since it doesn't match, no delete.


You can delete the wayward entry using ldapdelete.

rob



On 03/27/2014 09:02 AM, Bret Wortman wrote:

My IPA corruption continues and I'm afraid I'm going to have to
recreate it from scratch since no reasonable means of backup exists
(which I understand -- that's not my complaint).

Here's what I'm facing:

# script -c 'ipa host-find mw79.damascusgrp.com'
Script started, file is typescript
--
1 host matched
--
  Host name: mw79.damascusgrp.com
  Principal name: host/mw79.damascusgrp@damascusgrp.com
  Password: False
  Member of host-groups: allow_all_hosts
  Indirect Member of HBAC rule: allow_all_users_services
  Keytab: False
  SSH public key fingerprint: [snip] (ssh-dss)


Number of entries returned 1

Script done, file is typescript
# script -c 'ipa host-del mw79.damascusgrp.com'
Script started, file is typescript
ipa: ERROR: mw79.damascusgrp.com: host not found
Script done, file is typescript
#

I had unenrolled this host and was attempting to re-enroll it, and
this is preventing its re-enrollment. Any ideas of how to force
deletion of this host entry? I'm not LDAP savvy enough to just go in
and start whacking LDAP entries myself, and given that my IPA database
has gotten corrupted enough that no IPA CLI command can run without
being wrapped in script or strace or similar, I'm hesitant to go
too far. This machine, however, is my program manager's workstation,
so it's pretty important to get back up and running.

Thanks,


--
*Bret Wortman*

http://damascusgrp.com/
http://about.me/wortmanbret



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users








smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users