Hi Jamal,
The problem comes from a conflict entry
dn: cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ieThere are 3 masters, but oxygen is a conflict entry. IPA CLI is using its 'cn' value to retrieve (cn=oxygen.eggvfx.ie conctenated with cn=masters,...)
cn;vucsn-5a2841c1000200070000;mdcsn-5a2841c1000200070000: nitrogen.eggvfx.ie
dn: cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
cn;vucsn-5a4b93bc0002000b0000;mdcsn-5a4b93bc0002000b0000: lithium.eggvfx.ie
dn: cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
cn;vucsn-5a6ef6390002000d0000;mdcsn-5a6ef6390002000d0000: oxygen.eggvfx.ie
nsds5ReplConflict;vucsn-5a6ef6390002000d0000: namingConflict cn=oxygen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
oxygen was added in parallel on two hosts. Making the one added on ReplicaId=0x000d a conflict.
Later oxygen was removed but the dangling conflict has not been clean up. I suspect this dangling master should be present on all servers
ldapsearch -D "cn=directory manager" -W -b "cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" "(nsds5ReplConflict=*)"
Conflicts are visible to regular search and IPA is fighting with them (this is going to be fixed).
If this entry is the only conflict in the 'master' container and without any children, I think you may delete it.
best regards
theirry
On 02/14/2018 12:31 PM, Jamal Mahmoud wrote:
Sure thing Thierry!
---------------------------------------------------------------------------------------------------------------------------For the First Command:---------------------------------------------------------------------------------------------------------------------------
[root@lithium ~]# ldapsearch -D "cn=directory manager" -W -b "cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" -s one 'objectclass=*' nscpentrywsiEnter LDAP Password:# extended LDIF## LDAPv3# base <cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie> with scope oneLevel# filter: objectclass=*# requesting: nscpentrywsi#
# nitrogen.eggvfx.ie, masters, ipa, etc, eggvfx.iedn: cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ienscpentrywsi: dn: cn=nitrogen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ienscpentrywsi: entryid: 551nscpentrywsi: parentid: 522nscpentrywsi: createTimestamp;vucsn-5a2841c1000200070000: 20171206191415Znscpentrywsi: creatorsName;vucsn-5a2841c1000200070000: cn=Directory Managernscpentrywsi: ipaMaxDomainLevel;vucsn-5a2841c1000200070000: 1nscpentrywsi: ipaMinDomainLevel;vucsn-5a2841c1000200070000: 0nscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a2841c1000200070000: dc=eggvfx,dc=ienscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a2841f5000000070000: o=ipacanscpentrywsi: cn;vucsn-5a2841c1000200070000;mdcsn-5a2841c1000200070000: nitrognscpentrywsi: objectClass;vucsn-5a2841c1000200070000: topnscpentrywsi: objectClass;vucsn-5a2841c1000200070000: nsContainernscpentrywsi: objectClass;vucsn-5a2841c1000200070000: ipaReplTopoManagedServernscpentrywsi: objectClass;vucsn-5a2841c1000200070000: ipaConfigObjectnscpentrywsi: objectClass;vucsn-5a2841c1000200070000: ipaSupportedDomainLevelConfignscpentrywsi: modifiersName;adcsn-5a2841f5000000070001;vucsn-5a2841f5000000070001: cn=Directory Managernscpentrywsi: modifyTimestamp;adcsn-5a2841f5000000070002;vucsn-5a2841f5000000070002: 20171206191507Znscpentrywsi: nsUniqueId: 9fa0a6a0-dab911e7-9b12a63c-96e53ac2nscpentrywsi: entryusn: 2nscpentrywsi: numSubordinates: 9
# lithium.eggvfx.ie, masters, ipa, etc, eggvfx.iedn: cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ienscpentrywsi: dn: cn=lithium.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ienscpentrywsi: entryusn;adcsn-5a4b93f60000000b0003;vucsn-5a4b93f60000000b0003:54nscpentrywsi: modifyTimestamp;adcsn-5a4b93f60000000b0002;vucsn-5a4b93f60000000b0002: 20180102141420Znscpentrywsi: modifiersName;adcsn-5a4b93f60000000b0001;vucsn-5a4b93f60000000b0001: cn=Directory Managernscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000: topnscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000: nsContainernscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000: ipaReplTopoManagedServernscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000: ipaConfigObjectnscpentrywsi: objectClass;vucsn-5a4b93bc0002000b0000: ipaSupportedDomainLevelConfignscpentrywsi: cn;vucsn-5a4b93bc0002000b0000;mdcsn-5a4b93bc0002000b0000: lithiunscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a4b93bc0002000b0000: dc=eggvfx,dc=ienscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a4b93f60000000b0000: o=ipacanscpentrywsi: ipaMinDomainLevel;vucsn-5a4b93bc0002000b0000: 0nscpentrywsi: ipaMaxDomainLevel;vucsn-5a4b93bc0002000b0000: 1nscpentrywsi: creatorsName;vucsn-5a4b93bc0002000b0000: cn=Directory Managernscpentrywsi: createTimestamp;vucsn-5a4b93bc0002000b0000: 20180102141322Znscpentrywsi: nsUniqueId: 118be292-efc711e7-be76b1c8-a90c608bnscpentrywsi: parentid: 522nscpentrywsi: entryid: 855nscpentrywsi: numSubordinates: 9
# oxygen.eggvfx.ie + 562f6f20-04de11e8-a003fb96-902b0a77, masters, ipa, etc, egdn: cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ienscpentrywsi: dn: cn=oxygen.eggvfx.ie+nsuniqueid=562f6f20-04de11e8-a003fb96-902b0a77,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ienscpentrywsi: entryusn;adcsn-5a6ef6850000000d0003;vucsn-5a6ef6850000000d0003:9656nscpentrywsi: modifyTimestamp;adcsn-5a6ef6850000000d0002;vucsn-5a6ef6850000000d0002: 20180129102411Znscpentrywsi: modifiersName;adcsn-5a6ef6850000000d0001;vucsn-5a6ef6850000000d0001: cn=Directory Managernscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000: topnscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000: nsContainernscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000: ipaReplTopoManagedServernscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000: ipaConfigObjectnscpentrywsi: objectClass;vucsn-5a6ef6390002000d0000: ipaSupportedDomainLevelConfignscpentrywsi: cn;vucsn-5a6ef6390002000d0000;mdcsn-5a6ef6390002000d0000: oxygennscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a6ef6390002000d0000: dc=eggvfx,dc=ienscpentrywsi: ipaReplTopoManagedSuffix;vucsn-5a6ef6850000000d0000: o=ipacanscpentrywsi: ipaMinDomainLevel;vucsn-5a6ef6390002000d0000: 0nscpentrywsi: ipaMaxDomainLevel;vucsn-5a6ef6390002000d0000: 1nscpentrywsi: creatorsName;vucsn-5a6ef6390002000d0000: cn=Directory Managernscpentrywsi: createTimestamp;vucsn-5a6ef6390002000d0000: 20180129102255Znscpentrywsi: nsUniqueId;mdcsn-5a6ef6390002000d0000: 562f6f20-04de11e8-a003fb96-902b0a77nscpentrywsi: parentid: 522nscpentrywsi: entryid: 947nscpentrywsi: nsds5ReplConflict;vucsn-5a6ef6390002000d0000: namingConflict cn=oxygen.eggvfx.ie,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ienscpentrywsi: numSubordinates: 9
# search resultsearch: 2result: 0 Success
# numResponses: 4# numEntries: 3
---------------------------------------------------------------------------------------------------------------------------For the second command:---------------------------------------------------------------------------------------------------------------------------
[root@lithium ~]# ldapsearch -D "cn=directory manager" -W -b "cn=oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" -s base 'objectclass=*' nscpentrywsiEnter LDAP Password:# extended LDIF## LDAPv3# base <cn=oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie> with scope baseObject# filter: objectclass=*# requesting: nscpentrywsi#
# search resultsearch: 2result: 32 No such objectmatchedDN: cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie
# numResponses: 1
---------------------------------------------------------------------------------------------------------------------------Hope some of that makes sense, thanks for the quick response by the way!
Many Thanks,
Jamal
Jamal Mahmoud / Pipeline TD
jamal.mahmoud@egg.ie35 Fitzwilliam Street Upper, Dublin.
P: +353 1 6345440
On 14 February 2018 at 11:17, thierry bordaz <tbordaz@redhat.com> wrote:
Hi Jamal,
Regarding the 'unwilling to perform' I think it may topology plugin that prevents you to isolate a host. Would the del isolate a host ?
Regarding the 'server not found'. My understanding is that the problems weird things come from
[13/Feb/2018:09:14:47.828827335 +0000] conn=192208 op=3 SRCH base="cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=1 filter="(objectClass=top)" attrs="ipaMaxDomainLevel cn ipaMinDomainLevel ipaReplTopoManagedSuffix ipaLocation ipaServiceWeight"
[13/Feb/2018:09:14:47.829400972 +0000] conn=192208 op=3 RESULT err=0 tag=101 nentries=3 etime=0
[13/Feb/2018:09:14:47.845769945 +0000] conn=192208 op=5 SRCH base="cn=nitrogen.eggvfx.ie <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=0 filter="(objectClass=*)" attrs=""
[13/Feb/2018:09:14:47.845875163 +0000] conn=192208 op=5 RESULT err=0 tag=101 nentries=1 etime=0
[13/Feb/2018:09:14:47.855353962 +0000] conn=192208 op=13 SRCH base="cn=lithium.eggvfx.ie <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=0 filter="(objectClass=*)" attrs=""
[13/Feb/2018:09:14:47.855449266 +0000] conn=192208 op=13 RESULT err=0 tag=101 nentries=1 etime=0
[13/Feb/2018:09:14:47.864790724 +0000] conn=192208 op=21 SRCH base="cn=oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=0 filter="(objectClass=*)" attrs=""
[13/Feb/2018:09:14:47.864996898 +0000] conn=192208 op=21 RESULT err=32 tag=101 nentries=0 etime=0
Could you provide (directly) the result of the following commands
ldapsearch -D "cn=directory manager" -W -b ""cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" -s one 'objectclass=*' nscpentrywsiBest regards
ldapsearch -D "cn=directory manager" -W -b ""cn=oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" -s base 'objectclass=*' nscpentrywsi
thierry
On 02/14/2018 10:52 AM, Jamal Mahmoud wrote:
Thank you Rob!I can confirm that when i try to even view the server from the UI the same error message appears (server not found) in a dialog box, so wherever the UI is querying from, it originates from the same place. I would also like to mention that while i was trying to remove the topology segments from oxygen to nitrogen there is another error that appears. I don't know how to remove a segment in the CLI (i tried and couldn't figure it out) but the output from the web UI is attached below. I believe this is normal behaviour if the server were active.
IPA Error 4203: DatabaseErrorServer is unwilling to perform: Removal of Segment disconnects topology.Deletion not allowed.
I've attached images explaining what i mean.I hope this helps you and Thierry!
Many Thanks,Jamal
Jamal Mahmoud / Pipeline TD
jamal.mahmoud@egg.ie
On 13 February 2018 at 21:14, Rob Crittenden <rcritten@redhat.com> wrote:
Jamal Mahmoud via FreeIPA-users wrote:
> Hi Rob,
>
> I've isolated the output on lithium when i ran
> ipa-replica-manage del oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
> --force --cleanup
> It's quite heavy still but here it is
This is helpful. It shows that oxygen is being looked for in the IPA
masters location, cn=masters and is returning err=32, not found.
What I don't know is why or where this query is coming from.
There are several queries that look like they might originate in the
389-ds topology plugin but I couldn't find where and I'm not familiar
with it in general. Queries like:
SRCH base="cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=1
filter="(objectClass=top)" attrs="ipaMaxDomainLevel cn ipaMinDomainLevel
ipaReplTopoManagedSuffix ipaLocation ipaServiceWeight"
I'm not entirely sure when you invoke ipa-replica-manage if it is
calling the topology plugin under the hood or not. It almost certainly
is when you use the UI.
I'm cc'ing someone who knows this better.
rob
>
> [13/Feb/2018:09:14:45.823204160 +0000] conn=192207 fd=155 slot=155 SSL
> connection from 192.168.94.4 to 192.168.94.4
> [13/Feb/2018:09:14:46.027998523 +0000] conn=192207 TLS1.2 256-bit AES-GCM
> [13/Feb/2018:09:14:46.031226897 +0000] conn=45 op=31409 SRCH
> base="dc=eggvfx,dc=ie" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/EGGVFX.IE@EGGVFX.IE
> <mailto:EGGVFX.IE@EGGVFX.IE>)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/EGGVFX.IE@EGGVFX.IE
> <mailto:EGGVFX.IE@EGGVFX.IE>)))" attrs="krbPrincipalName
> krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
> [13/Feb/2018:09:14:46.031713683 +0000] conn=45 op=31409 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.032193288 +0000] conn=45 op=31410 SRCH
> base="dc=eggvfx,dc=ie" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/lithium.eggvfx.ie@EGGVFX.IE
> <mailto:lithium.eggvfx.ie@EGGVFX.IE>)(krbPrincipalName:caseIgnoreIA5Match:=ldap/lithium.eggvfx.ie@EGGVFX.IE
> <mailto:lithium.eggvfx.ie@EGGVFX.IE>)))" attrs="krbPrincipalName
> krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
> [13/Feb/2018:09:14:46.032529772 +0000] conn=45 op=31410 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.032696842 +0000] conn=45 op=31411 SRCH
> base="cn=EGGVFX.IE <http://EGGVFX.IE>,cn=kerberos,dc=eggvfx,dc=ie"
> scope=0 filter="(objectClass=krbticketpolicyaux)"
> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
> [13/Feb/2018:09:14:46.032904807 +0000] conn=45 op=31411 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.033085928 +0000] conn=45 op=31412 SRCH
> base="dc=eggvfx,dc=ie" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=admin@EGGVFX.IE
> <mailto:admin@EGGVFX.IE>))" attrs="krbPrincipalName krbCanonicalName
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> objectClass"
> [13/Feb/2018:09:14:46.033377257 +0000] conn=45 op=31412 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.033555617 +0000] conn=45 op=31413 SRCH
> base="cn=EGGVFX.IE <http://EGGVFX.IE>,cn=kerberos,dc=eggvfx,dc=ie"
> <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"> scope=0 filter="(objectClass=krbticketpolicyaux)"
> attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
> [13/Feb/2018:09:14:46.033714662 +0000] conn=45 op=31413 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.034731567 +0000] conn=192207 op=0 BIND dn=""
> method=sasl version=3 mech=GSSAPI
> [13/Feb/2018:09:14:46.776688499 +0000] conn=192207 op=0 RESULT err=14
> tag=97 nentries=0 etime=1, SASL bind in progress
> [13/Feb/2018:09:14:46.777340050 +0000] conn=192207 op=1 BIND dn=""
> method=sasl version=3 mech=GSSAPI
> [13/Feb/2018:09:14:46.779800986 +0000] conn=192207 op=1 RESULT err=14
> tag=97 nentries=0 etime=0, SASL bind in progress
> [13/Feb/2018:09:14:46.780131803 +0000] conn=192207 op=2 BIND dn=""
> method=sasl version=3 mech=GSSAPI
> [13/Feb/2018:09:14:46.781745436 +0000] conn=192207 op=2 RESULT err=0
> tag=97 nentries=0 etime=0
> dn="uid=admin,cn=users,cn=accounts,dc=eggvfx,dc=ie"
> [13/Feb/2018:09:14:46.782496366 +0000] conn=192207 op=3 SRCH
> base="cn=mapping tree,cn=config" scope=2
> filter="(|(&(objectClass=nsds5ReplicationAgreement)(nsDS5ReplicaRoot=dc=eggvfx,dc=ie))(objectClass=nsDSWindowsReplicationAgreement))"
> attrs=ALL
> [13/Feb/2018:09:14:46.784970100 +0000] conn=192207 op=3 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:46.786072700 +0000] conn=192207 op=4 SRCH
> base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes
> objectClasses"
> [13/Feb/2018:09:14:46.992758156 +0000] conn=192207 op=4 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:47.274654147 +0000] conn=192208 fd=156 slot=156
> connection from local to /var/run/slapd-EGGVFX-IE.socket
> [13/Feb/2018:09:14:47.275257858 +0000] conn=192208 AUTOBIND
> dn="cn=Directory Manager"
> [13/Feb/2018:09:14:47.275266840 +0000] conn=192208 op=0 BIND
> dn="cn=Directory Manager" method=sasl version=3 mech=EXTERNAL
> [13/Feb/2018:09:14:47.275307838 +0000] conn=192208 op=0 RESULT err=0
> tag=97 nentries=0 etime=0 dn="cn=Directory Manager"
> [13/Feb/2018:09:14:47.286719997 +0000] conn=192208 op=1 SRCH
> base="cn=Domain Level,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=0
> filter="(objectClass=*)" attrs="ipaDomainLevel"
> [13/Feb/2018:09:14:47.286848507 +0000] conn=192208 op=1 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:47.287228472 +0000] conn=192208 op=2 SRCH
> base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes
> objectClasses"
> [13/Feb/2018:09:14:47.464093684 +0000] conn=192208 op=2 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:47.828827335 +0000] conn=192208 op=3 SRCH
> base="cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=1
> filter="(objectClass=top)" attrs="ipaMaxDomainLevel cn ipaMinDomainLevel
> ipaReplTopoManagedSuffix ipaLocation ipaServiceWeight"
> [13/Feb/2018:09:14:47.829400972 +0000] conn=192208 op=3 RESULT err=0
> tag=101 nentries=3 etime=0
> [13/Feb/2018:09:14:47.834510410 +0000] conn=192208 op=4 SRCH
> base="cn=topology,cn=ipa,cn=etc,dc=eggvfx,dc=ie" scope=1
> filter="(objectClass=iparepltopoconf)" attrs="* cn ipaReplTopoConfRoot aci"
> [13/Feb/2018:09:14:47.834813555 +0000] conn=192208 op=4 RESULT err=0
> tag=101 nentries=2 etime=0
> [13/Feb/2018:09:14:47.845769945 +0000] conn=192208 op=5 SRCH
> base="cn=nitrogen.eggvfx.ie
> scope=0 filter="(objectClass=*)" attrs=""
> [13/Feb/2018:09:14:47.845875163 +0000] conn=192208 op=5 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:47.846499455 +0000] conn=192208 op=6 SRCH
> base="cn=nitrogen.eggvfx.ie
> <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(cn=CA)" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.846716314 +0000] conn=192208 op=6 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:47.847775298 +0000] conn=192208 op=7 SRCH
> base="cn=nitrogen.eggvfx.ie
> <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(|(cn=HTTP)(cn=KDC)(cn=KPASSWD))" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.848157025 +0000] conn=192208 op=7 RESULT err=0
> tag=101 nentries=3 etime=0
> [13/Feb/2018:09:14:47.850013297 +0000] conn=192208 op=8 SRCH
> base="cn=nitrogen.eggvfx.ie
> <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(|(cn=DNS)(cn=DNSKeySync))" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.850305924 +0000] conn=192208 op=8 RESULT err=0
> tag=101 nentries=2 etime=0
> [13/Feb/2018:09:14:47.851655036 +0000] conn=192208 op=9 SRCH
> base="cn=nitrogen.eggvfx.ie
> <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(cn=NTP)" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.851833457 +0000] conn=192208 op=9 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:47.852812885 +0000] conn=192208 op=10 SRCH
> base="cn=computers,cn=accounts,dc=eggvfx,dc=ie" scope=2
> filter="(&(memberOf=cn=adtrust
> agents,cn=sysaccounts,cn=etc,dc=eggvfx,dc=ie)(fqdn=nitrogen.eggvfx.ie
> <http://nitrogen.eggvfx.ie>))" attrs="* aci"
> [13/Feb/2018:09:14:47.853031311 +0000] conn=192208 op=10 RESULT err=0
> tag=101 nentries=0 etime=0
> [13/Feb/2018:09:14:47.853536363 +0000] conn=192208 op=11 SRCH
> base="cn=nitrogen.eggvfx.ie
> <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(cn=KRA)" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.853649454 +0000] conn=192208 op=11 RESULT err=0
> tag=101 nentries=0 etime=0
> [13/Feb/2018:09:14:47.854114915 +0000] conn=192208 op=12 SRCH
> base="cn=nitrogen.eggvfx.ie
> <http://nitrogen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(cn=ADTRUST)" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.854224953 +0000] conn=192208 op=12 RESULT err=0
> tag=101 nentries=0 etime=0
> [13/Feb/2018:09:14:47.855353962 +0000] conn=192208 op=13 SRCH
> base="cn=lithium.eggvfx.ie
> <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=0 filter="(objectClass=*)" attrs=""
> [13/Feb/2018:09:14:47.855449266 +0000] conn=192208 op=13 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:47.855936058 +0000] conn=192208 op=14 SRCH
> base="cn=lithium.eggvfx.ie
> <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(cn=CA)" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.856125343 +0000] conn=192208 op=14 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:47.857152859 +0000] conn=192208 op=15 SRCH
> base="cn=lithium.eggvfx.ie
> <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(|(cn=HTTP)(cn=KDC)(cn=KPASSWD))" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.857517597 +0000] conn=192208 op=15 RESULT err=0
> tag=101 nentries=3 etime=0
> [13/Feb/2018:09:14:47.859268273 +0000] conn=192208 op=16 SRCH
> base="cn=lithium.eggvfx.ie
> <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(|(cn=DNS)(cn=DNSKeySync))" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.859490110 +0000] conn=192208 op=16 RESULT err=0
> tag=101 nentries=2 etime=0
> [13/Feb/2018:09:14:47.860775424 +0000] conn=192208 op=17 SRCH
> base="cn=lithium.eggvfx.ie
> <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(cn=NTP)" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.860938889 +0000] conn=192208 op=17 RESULT err=0
> tag=101 nentries=1 etime=0
> [13/Feb/2018:09:14:47.861949875 +0000] conn=192208 op=18 SRCH
> base="cn=computers,cn=accounts,dc=eggvfx,dc=ie" scope=2
> filter="(&(memberOf=cn=adtrust
> agents,cn=sysaccounts,cn=etc,dc=eggvfx,dc=ie)(fqdn=lithium.eggvfx.ie
> <http://lithium.eggvfx.ie>))" attrs="* aci"
> [13/Feb/2018:09:14:47.862121230 +0000] conn=192208 op=18 RESULT err=0
> tag=101 nentries=0 etime=0
> [13/Feb/2018:09:14:47.862930080 +0000] conn=192208 op=19 SRCH
> base="cn=lithium.eggvfx.ie
> <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(cn=KRA)" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.863048094 +0000] conn=192208 op=19 RESULT err=0
> tag=101 nentries=0 etime=0
> [13/Feb/2018:09:14:47.863563059 +0000] conn=192208 op=20 SRCH
> base="cn=lithium.eggvfx.ie
> <http://lithium.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=2 filter="(cn=ADTRUST)" attrs="ipaConfigString cn"
> [13/Feb/2018:09:14:47.863674190 +0000] conn=192208 op=20 RESULT err=0
> tag=101 nentries=0 etime=0
> [13/Feb/2018:09:14:47.864790724 +0000] conn=192208 op=21 SRCH
> base="cn=oxygen.eggvfx.ie
> <http://oxygen.eggvfx.ie>,cn=masters,cn=ipa,cn=etc,dc=eggvfx,dc=ie"
> scope=0 filter="(objectClass=*)" attrs=""
> [13/Feb/2018:09:14:47.864996898 +0000] conn=192208 op=21 RESULT err=32
> tag=101 nentries=0 etime=0
> [13/Feb/2018:09:14:47.918001361 +0000] conn=192207 op=5 UNBIND
> [13/Feb/2018:09:14:47.918035786 +0000] conn=192207 op=5 fd=155 closed - U1
> [13/Feb/2018:09:14:47.922593141 +0000] conn=192208 op=22 UNBIND
> [13/Feb/2018:09:14:47.922617042 +0000] conn=192208 op=22 fd=156 closed - U1
>
> For verbosity's sake i haven't done this on nitrogen also, unless it is
> required, if so let me know! I've also attached an image of the output
> from the command itself to show you the seemingly useless error message.
> Thanks again,
> Jamal Mahmoud
>
> <http://www.egg.ie/>
>
>
>
> *Jamal Mahmoud* / Pipeline TD
> jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>
>
> 35 Fitzwilliam Street Upper, Dublin.
> P: +353 1 6345440
>
> Twitter <https://twitter.com/EggPost> Facebook
> <https://www.facebook.com/egg.post/> LinkedIn
> <http://www.linkedin.com/in/jamalmahmoud> Vimeo
> <https://vimeo.com/user9887735>
>
>
> On 12 February 2018 at 20:27, Rob Crittenden <rcritten@redhat.com
> <http://oxygen.eggvfx.ie>: server not found> <mailto:rcritten@redhat.com>> wrote:
>
> Jamal Mahmoud wrote:
> > Sure thing,
> > Output on* lithium*:
> >
> > [root@lithium ~]# ipa-replica-manage del oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
> > <http://oxygen.eggvfx.ie> --force --cleanup
> > oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
> <http://oxygen.eggvfx.ie>: server not found
>
> What is baffling me the most is that the string 'server not found' is
> not to be found in the IPA source. I can't tell where that is being
> generated.
>
> Can you provide a snippet of the 389-ds access log when you request the
> deletion? That is in /var/log/dirsrv/slapd-REALM/access
>
> Note that the log is write buffered so the content may not appear
> immediately.
>
> Seeing the queries being made and what the responses/errors are might
> give me some ideas.
>
> rob
>
> >
> >
> > [root@lithium ~]# ipa domainlevel-get
> > -----------------------
> > Current domain level: 1
> > -----------------------
> >
> >
> > Output on *nitrogen*:
> >
> > [root@nitrogen ~]# ipa-replica-manage del oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
> > <http://oxygen.eggvfx.ie> --force --cleanup
> > oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
> >
> >
> > [root@nitrogen ~]# ipa domainlevel-get
> > -----------------------
> > Current domain level: 1
> > -----------------------
> >
> > I hope this helps,
> >
> > Jamal
> >
> > <http://www.egg.ie/>
> >
> >
> >
> > *Jamal Mahmoud* / Pipeline TD
> > jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>
> <mailto:jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>>
> >
> > 35 Fitzwilliam Street Upper, Dublin.
> > P: +353 1 6345440 <tel:%2B353%201%206345440>
> >
> > Twitter <https://twitter.com/EggPost> Facebook
> > <https://www.facebook.com/egg.post/
> <https://www.facebook.com/egg.post/>> LinkedIn
> > <http://www.linkedin.com/in/jamalmahmoud
> <http://www.linkedin.com/in/jamalmahmoud>> Vimeo
> > <https://vimeo.com/user9887735>
> >
> >
> > On 7 February 2018 at 20:34, Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>
> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote:
> >
> > Jamal Mahmoud via FreeIPA-users wrote:
> > > Hi Rob,
> > >
> > > Just wondering if you had time to look at this issue for me? Still stuck
> > > in a state of limbo with this IDM and i have run out of options. Any
> > > help in resolving this issue would be appreciated.
> >
> > A few more questions.
> >
> > What is the output of: ipa domainlevel-get
> >
> > Can you show the full output of ipa-replica-manage del oxygen... --force
> > --cleanup
> >
> > And on what master are you running that?
> >
> > rob
> >
> > >
> > > Many Thanks,
> > > Jamal
> > >
> > >
> > > On 1 February 2018 at 17:04, Jamal Mahmoud <jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>
> <mailto:jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>>
> > > <mailto:jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>
> <mailto:jamal.mahmoud@egg.ie <mailto:jamal.mahmoud@egg.ie>>>> wrote:
> > >
> > > Sorry about the lack of clarification Rob!
> > >
> > > I have 3 servers, all running CentOS 7.4, FreeIPA
> version 4.5.0. the
> > > hostnames are lithium, nitrogen and the recently
> deceased oxygen.
> > > all are masters under the same Realm which is EGGVFX.IE
> <http://EGGVFX.IE> <http://EGGVFX.IE>
> > > <http://EGGVFX.IE>
> > >
> > > The "server not found" error is exactly what shows when
> i try to
> > > delete the server from command line or the Web UI.
> > >
> > > When i run ipa-replica-manage list -v `hostname` this is
> the output
> > > from the servers:
> > >
> > > Lithium Output:
> > > root@lithium# ipa-replica-manage list -v `hostname`
> > > nitrogen.eggvfx.ie <http://nitrogen.eggvfx.ie>
> <http://nitrogen.eggvfx.ie>
> > <http://nitrogen.eggvfx.ie>: replica
> > > last init status: 0 Total update succeeded
> > > last init ended: 2018-02-01 10:51:14+00:00
> > > last update status: Error (0) Replica acquired
> successfully:
> > > Incremental update succeeded
> > > last update ended: 2018-02-01 16:24:37+00:00
> > >
> > > Nitrogen Output:
> > > root@nitrogen# ipa-replica-manage list -v `hostname`
> > > lithium.eggvfx.ie <http://lithium.eggvfx.ie>
> <http://lithium.eggvfx.ie>
> > <http://lithium.eggvfx.ie>: replica
> > > last init status: None
> > > last init ended: 1970-01-01 00:00:00+00:00
> > > last update status: Error (0) Replica acquired
> successfully:
> > > Incremental update succeeded
> > > last update ended: 2018-02-01 10:48:18+00:00
> > > oxygen.eggvfx.ie <http://oxygen.eggvfx.ie>
> <http://oxygen.eggvfx.ie>
> > <http://oxygen.eggvfx.ie>: replica
> > > last init status: None
> > > last init ended: 1970-01-01 00:00:00+00:00
> > > last update status: Error (-1) Problem connecting to
> replica -
> > > LDAP error: Can't contact LDAP server (connection error)
> > > last update