Hi,
so finally I managed to fix the issue. The user used was ‘admin’ the ticket was a fresh one obtained immediately before the command.
After digging through many mails on this list I was pretty sure it had something todo with ACIs and them maybe not being readded after an upgrade. What I did to fix the issue was the following:
I used a slightly modified version of https://github.com/freeipa/freeipa/blob/master/install/share/replica-acis.ld... (changing the add to a replace) and loaded it onto the master. Afterwards I was able to delete the replica and add a new one.
Altough when running a “list-ruv” I stell get some error messages (but also output of actual RUVs)
-snip- ipa-replica-manage list-ruv Directory Manager password:
unable to decode: {replica 7} 58456abc000400070000 58456abc000400070000 unable to decode: {replica 9} 578864f6000100090000 578864f6000100090000 Replica Update Vectors: -snap-
So this is a different issue, but I would be glad If I somehow could remove these orphaned RUVs.
Am 23.06.17, 15:36 schrieb "Rob Crittenden" rcritten@redhat.com:
Sieferlinger, Andreas via FreeIPA-users wrote: > Hi all, > > > > after an upgrade von 4.1 to 4.4 (4.4.0-14.el7.centos.7) I have some > trouble in changing replication agreements. > > > > #ipa-replica-manage del auth4.example.com > > 'auth9.example.com' has no replication agreement for 'auth4.example.com' > > # ipa-replica-manage del auth4.example.com --force --clean > > Cleaning a master is irreversible. > > This should not normally be require, so use cautiously. > > Continue to clean master? [no]: yes > > Re-run /sbin/ipa-replica-manage with --verbose option to get more > information > > Unexpected error: Insufficient access: Insufficient 'delete' privilege > to delete the entry > 'krbprincipalname=ldap/auth4.example.com@example.com,cn=services,cn=accounts,dc=example,dc=com'. > > > > I suspect some missing ACLs that probably got lost during an update, > although I do not know which and how to read.
What credentials do you currently have? klist will show you.
If you are admin, or a member of the admins group, then the output of this will show what rights the user has:
$ ipa user-show --all --raw <your user> |grep memberof
rob