[Freeipa-users] master - replica relationship

Hola, I'm still trying to wrap my head around the master-replica concept. From what I read in the documentation (Chapter 4 of https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/... ) the replica should be able to take over as master should master go offline. Our replica was set up with CA & without DNS - the same as master, and it seems to be working on the whole. The problem I'm having is in the replication. create user on master: ipa user-add master_test_user --first=MT --last=ML create user on replica: ipa user-add replica_test_user --first=RT --last=RL find user on master: [root@vmpr-linuxidm ~]# ipa user-find test_user --------------- 2 users matched --------------- User login: master_test_user First name: MT Last name: ML Home directory: /home/master_test_user Login shell: /bin/bash Principal name: master_test_user(a)UNIX.DOMAIN.COM Principal alias: master_test_user(a)UNIX.DOMAIN.COM Email address: master_test_user(a)domain.com UID: 1718800021 GID: 1718800021 Account disabled: False User login: replica_test_user First name: RT Last name: RL Home directory: /home/replica_test_user Login shell: /bin/bash Principal name: replica_test_user(a)UNIX.DOMAIN.COM Principal alias: replica_test_user(a)UNIX.DOMAIN.COM Email address: replica_test_user(a)domain.com UID: 1718850502 GID: 1718850502 Account disabled: False ---------------------------- Number of entries returned 2 ---------------------------- find user on replica: [root@vmdr-linuxidm ~]# ipa user-find test_user -------------- 1 user matched -------------- User login: replica_test_user First name: RT Last name: RL Home directory: /home/replica_test_user Login shell: /bin/bash Principal name: replica_test_user(a)UNIX.DOMAIN.COM Principal alias: replica_test_user(a)UNIX.DOMAIN.COM Email address: replica_test_user(a)domain.com UID: 1718850502 GID: 1718850502 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- If I run ipa user-add on the replica, I see it upstream on master, but if I run ipa add-user on the master, that's not replicated down to the replica. Also, ipa user-del (even with --no-preserve) works on master, but doesn't delete the user on the replica. What has gone wrong? Cheers L. ------ "The antidote to apocalypticism is *apocalyptic civics*. Apocalyptic civics is the insistence that we cannot ignore the truth, nor should we panic about it. It is a shared consciousness that our institutions have failed and our ecosystem is collapsing, yet we are still here — and we are creative agents who can shape our destinies. Apocalyptic civics is the conviction that the only way out is through, and the only way through is together. " *Greg Bloom* @greggish https://twitter.com/greggish/status/873177525903609857