subject:"Re\: \[Freeipa\-users\] unable to effectively delete a replica agreement"

Re: [Freeipa-users] unable to effectively delete a replica agreement

2016-01-05 Thread Rob Crittenden

Karl Forner wrote:
> 
> 
> >
> > It hangs forever.
> 
> How long is forever?
> 
> 
> officially it's about 15 mns. Do you mean that this delay could be
> expected ?

Forever is a measurement of patience. I'd have expected a timeout at
some point. To really diagnose things we'd probably need to instrument
ipa-replica-manage to find out where it is getting stuck.

> 
> 
> > If I run it using the --cleanup option, it seems to work.
> 
> That does other things.
> 
> 
> and actually it did not really work.

All cleanup does is remove the host as an IPA master. It does nothing
with agreements.

Did you find the agreement using the ldapsearch I proposed?

rob

>  
> 
> 
> >
> > But when I try to run again from scratch my replica, using the same
> > name, I get:
> >
> > Checking forwarders, please wait ...
> > WARNING: DNS forwarder 10.9.70.7 does not return DNSSEC signatures in
> > answers
> > Please fix forwarder configuration to enable DNSSEC support.
> > (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> > WARNING: DNSSEC validation will be disabled
> > Warning: skipping DNS resolution of host ipa2.example.com 
> 
> > 
> > Warning: skipping DNS resolution of host ipa.example.com 
> 
> > 
> > Using reverse zone(s) 0.17.172.in-addr.arpa.
> > A replication agreement for this host already exists. It needs to be
> > removed.
> > Run this on the master that generated the info file:
> > % ipa-replica-manage del ipa2.example.com
>  
> > --force
> >
> > On my master:
> > # ipa-replica-manage list
> > ipas.example.com : master
> > ipa.example.com : master
> >
> > I manually removed all DNS entries from the 3 zones mentioning ipa2. I
> > can check in the web UI, using the search feature that ipa2 has no
> > occurrence.
> >
> > So I do not understand why the replica install thinks there's still a
> > replication agreement.
> > And I'd like to know:
> > 1) why this command did not work
> >
> > |ipa-replica-manage del ipa2.example.com 
> 
> > --force -v|
> 
> Because replication agreements are separate from IPA masters, DNS, etc.
> 
> >
> > 2) How could I manually effectively delete this agrrement left-over.
> >
> 
> To see the agreements on any given master:
> 
> $ ldapsearch -x -D 'cn=directory manager' -W -b
> 'cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config'
> 
> Use ldapdelete to delete the orphan one, or use something like Apache
> Studio if you're uncomfortable on the CLI.
> 
> rob
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to effectively delete a replica agreement

2016-01-04 Thread Rob Crittenden

Karl Forner wrote:
> I am running a master freeIPA called "ipa" in an adelton/freeipa-server
> (freeIPA 4.1.4).
> I am able to create a replica server "ipa2", still in an
> adelton/freeipa-server.
> 
> If I stop my ipa2 replica, and try to delete the replication agreement:
> 
> |%ipa-replica-manage del ipa2.example.com 
> --force -v|
> 
> It hangs forever.

How long is forever?

> If I run it using the --cleanup option, it seems to work.

That does other things.

> 
> But when I try to run again from scratch my replica, using the same
> name, I get:
> 
> Checking forwarders, please wait ...
> WARNING: DNS forwarder 10.9.70.7 does not return DNSSEC signatures in
> answers
> Please fix forwarder configuration to enable DNSSEC support.
> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> WARNING: DNSSEC validation will be disabled
> Warning: skipping DNS resolution of host ipa2.example.com
> 
> Warning: skipping DNS resolution of host ipa.example.com
> 
> Using reverse zone(s) 0.17.172.in-addr.arpa.
> A replication agreement for this host already exists. It needs to be
> removed.
> Run this on the master that generated the info file:
> % ipa-replica-manage del ipa2.example.com 
> --force
> 
> On my master:
> # ipa-replica-manage list
> ipas.example.com: master
> ipa.example.com: master
> 
> I manually removed all DNS entries from the 3 zones mentioning ipa2. I
> can check in the web UI, using the search feature that ipa2 has no
> occurrence.
> 
> So I do not understand why the replica install thinks there's still a
> replication agreement.
> And I'd like to know:
> 1) why this command did not work
> 
> |ipa-replica-manage del ipa2.example.com 
> --force -v|

Because replication agreements are separate from IPA masters, DNS, etc.

> 
> 2) How could I manually effectively delete this agrrement left-over.
> 

To see the agreements on any given master:

$ ldapsearch -x -D 'cn=directory manager' -W -b
'cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config'

Use ldapdelete to delete the orphan one, or use something like Apache
Studio if you're uncomfortable on the CLI.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to effectively delete a replica agreement

2016-01-04 Thread Karl Forner

>
> > It hangs forever.
>
> How long is forever?
>

officially it's about 15 mns. Do you mean that this delay could be expected
?


>
> > If I run it using the --cleanup option, it seems to work.
>
> That does other things.
>

and actually it did not really work.


>
> >
> > But when I try to run again from scratch my replica, using the same
> > name, I get:
> >
> > Checking forwarders, please wait ...
> > WARNING: DNS forwarder 10.9.70.7 does not return DNSSEC signatures in
> > answers
> > Please fix forwarder configuration to enable DNSSEC support.
> > (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> > WARNING: DNSSEC validation will be disabled
> > Warning: skipping DNS resolution of host ipa2.example.com
> > 
> > Warning: skipping DNS resolution of host ipa.example.com
> > 
> > Using reverse zone(s) 0.17.172.in-addr.arpa.
> > A replication agreement for this host already exists. It needs to be
> > removed.
> > Run this on the master that generated the info file:
> > % ipa-replica-manage del ipa2.example.com 
> > --force
> >
> > On my master:
> > # ipa-replica-manage list
> > ipas.example.com: master
> > ipa.example.com: master
> >
> > I manually removed all DNS entries from the 3 zones mentioning ipa2. I
> > can check in the web UI, using the search feature that ipa2 has no
> > occurrence.
> >
> > So I do not understand why the replica install thinks there's still a
> > replication agreement.
> > And I'd like to know:
> > 1) why this command did not work
> >
> > |ipa-replica-manage del ipa2.example.com 
> > --force -v|
>
> Because replication agreements are separate from IPA masters, DNS, etc.
>
> >
> > 2) How could I manually effectively delete this agrrement left-over.
> >
>
> To see the agreements on any given master:
>
> $ ldapsearch -x -D 'cn=directory manager' -W -b
> 'cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config'
>
> Use ldapdelete to delete the orphan one, or use something like Apache
> Studio if you're uncomfortable on the CLI.
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to effectively delete a replica agreement

2015-12-21 Thread Karl Forner

It's quite a problem for me.
Would upgrading to a more recent version solve the problem ?

How does freeIPA knows that a host is a freeIPA host ? From the LDAP ?

Thanks

On Fri, Dec 18, 2015 at 3:45 PM, Karl Forner  wrote:

> I am running a master freeIPA called "ipa" in an adelton/freeipa-server
> (freeIPA 4.1.4).
> I am able to create a replica server "ipa2", still in an
> adelton/freeipa-server.
>
> If I stop my ipa2 replica, and try to delete the replication agreement:
>
> %ipa-replica-manage del ipa2.example.com --force  -v
>
> It hangs forever.
> If I run it using the --cleanup option, it seems to work.
>
> But when I try to run again from scratch my replica, using the same name,
> I get:
>
> Checking forwarders, please wait ...
> WARNING: DNS forwarder 10.9.70.7 does not return DNSSEC signatures in
> answers
> Please fix forwarder configuration to enable DNSSEC support.
> (For BIND 9 add directive "dnssec-enable yes;" to "options {}")
> WARNING: DNSSEC validation will be disabled
> Warning: skipping DNS resolution of host ipa2.example.com
> Warning: skipping DNS resolution of host ipa.example.com
> Using reverse zone(s) 0.17.172.in-addr.arpa.
> A replication agreement for this host already exists. It needs to be
> removed.
> Run this on the master that generated the info file:
> % ipa-replica-manage del ipa2.example.com --force
>
> On my master:
> # ipa-replica-manage list
> ipas.example.com: master
> ipa.example.com: master
>
> I manually removed all DNS entries from the 3 zones mentioning ipa2. I can
> check in the web UI, using the search feature that ipa2 has no occurrence.
>
> So I do not understand why the replica install thinks there's still a
> replication agreement.
> And I'd like to know:
> 1) why this command did not work
>
> ipa-replica-manage del ipa2.example.com --force  -v
>
>
> 2) How could I manually effectively delete this agrrement left-over.
>
>
> Thanks.
> Karl
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to effectively delete a replica agreement

2015-12-18 Thread Jan Pazdziora

On Fri, Dec 18, 2015 at 03:45:33PM +0100, Karl Forner wrote:
> I am running a master freeIPA called "ipa" in an adelton/freeipa-server
> (freeIPA 4.1.4).
> I am able to create a replica server "ipa2", still in an
> adelton/freeipa-server.

I should mention that I failed to see the cause of the issues when
we discussed it with Karl in

https://github.com/adelton/docker-freeipa/issues/40

and at the same time I don't see anything container-specific in what
he attempts to do -- therefore I've asked him to bring the issue
to this forum.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] unable to effectively delete a replica agreement

Re: [Freeipa-users] unable to effectively delete a replica agreement

Re: [Freeipa-users] unable to effectively delete a replica agreement

Re: [Freeipa-users] unable to effectively delete a replica agreement

Re: [Freeipa-users] unable to effectively delete a replica agreement

5 matches

Site Navigation

Mail list logo

Footer information