ok, did a little googling, and seems like KRA refers to the "vault" feature?
I didn't originally install this myself, so wasn't sure if it is used for anything critical.
I ran:
# ipa vault-find
0 vaults matched
Number of entries returned 0

So, can I assume it is safe to blow away and rebuild the server that has this role?

On Wed, Jan 31, 2018 at 3:56 PM, Rob Brown <dtownrobbrown@gmail.com> wrote:
I have 4 IPA servers, all masters, that were previously configured in a "full mesh" replication.
2 in "prod", 2 in "preprod".
While trying to fix a replication issue, I accidentally did a:
ipa-replica-manage del
on one of the prod servers for BOTH preprod servers.

Now, the prod servers don't "see" either of the preprod servers, so I effectively created a "split-brain" between the 2 environments. Preprod still "knows about" the prod ipa servers, but I can't figure out how to re-establish the replication agreements.

I was about to just blow away the preprod servers and rebuild them (which i did before on one of them) but noticed one of them has the "KRA" role, and it is the only one in the domain that has it.
I don't know what that does, or what the effects would be if it went away. I'm guessing bad.

I have tried "ipa topologysegment-reinitialize domain" on the segments that preprod still has, but those segments did not show up in prod.
ipa topologysuffix-verify domain says "in order" everywhere.

At this point I am completely lost on how to proceed.

What details can I provide for any help anyone is willing to provide?