Hi Florence,
Thanks for looking into this I appreciate it very much!
``` master# ldapsearch -xLLL -o ldif-wrap=no -D "cn=directory manager" -W -s sub -b cn=config objectclass=nsds5replicationagreement dn Enter LDAP Password: dn: cn=meTose-rhidm03x.se.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
dn: cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
dn: cn=se-rhidm02x.se.example.com-to-se-rhidm01x.se.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
dn: cn=se-rhidm02x.se.example.com-to-se-rhidm04x.se.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
dn: cn=caTose-rhidm03x.se.example.com,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
dn: cn=se-rhidm02x.se.example.com-to-se-rhidm01x.se.example.com,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
dn: cn=se-rhidm02x.se.example.com-to-se-rhidm04x.se.example.com,cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config ```
On the master "meTousidc1-rhidm01x.idc1.us.example.com" is there after running ipa-replica install <...> from the replica. This has been found after all my install attempts and I have been removing that entry using.
``` master# ldapmodify -x -D "cn=directory manager" -W <<EOF dn: cn=meTousidc1-rhidm01x.idc1.us.example.com,cn=replica,cn=dc\3Dlnx\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config changetype: delete EOF ```
I tried a clean install as per your suggestion but it fails in the same way. Worth to note that `ipa server-del <replica fqdn>` was not possible since I could not find the replica using `ipa server-find`. Maybe that indicates an issue?
When running the `ipa-replica-install <...>` command I get the following error and warning.
``` Could not resolve hostname se-rhidm03x.se.example.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes ... WARNING: 2 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details.
Do you want to run the ipa-sidgen task? [no]: no ```
What I do to install the replica is first manually installing it as a client, adding it to the ipaservers hostgroup and then running the `ipa-replica-install <...>` command.
``` replica# ipa-client-install --domain lnx.example.com --force-join --mkhomedir --no-ntp --principal idmsrvjoin --realm LNX.EXAMPLE.COM
master# ipa hostgroup-add-member ipaservers --hosts usidc1-rhidm01x.idc1.us.example.com
replica# ipa-replica-install --verbose --setup-dns --forwarder 10.0.2.200 --forwarder 10.0.2.201 --forwarder 10.0.2.202 --setup-ca ```
I tried sending an e-mail with the following files in a tar ball, but it seems to not have been accepted due to the its large size. I have published them on my own website instead, hope that works.
master ds389 access: https://www.rexhepi-lindberg.com/iparepl/master/access master ds389 errors: https://www.rexhepi-lindberg.com/iparepl/master/errors replica ds389 access: https://www.rexhepi-lindberg.com/iparepl/replica/access replica ds389 errors: https://www.rexhepi-lindberg.com/iparepl/replica/errors replica-install.log: https://www.rexhepi-lindberg.com/iparepl/replica/ipareplica-install.log
-- Markus