Hi!
I run IPA on CentOS 7. I have two servers (Leader and Replica, though they changed roles couple times because of reinstalls), had ca and domain services on both of them, replication set up and working. I had to switch off Replica for 6 months. When I turned it on recently, I found expired certificates, couldn't fix them easily and lost the old Replica - at least I concluded it was easier to reinstate the Replica than to detangle the mess I made while was trying to back out of outdated certs. I hit the same error as I do now though - Invalid Credentials (49).
So I did the following:
1) on Replica - ipa-server-install --uninstall. 2) on Leader - ipa-replica-manage del --force --clean Replica. 3) removed obsolete replication agreement meToReplica from Leader. 4) removed all traces of Replica from DNS.
Then I started to install Replica from scratch:
1) ipa-client-install 2) ipa-replica-install --setup-ca --setup-dns --forwarder X --forwarder Y
Installation consistently fails with:
''' Run connection check to master Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds <...> [29/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 16 seconds elapsed [ldap://Leader:389] reports: Update failed! Status: [Error (49) - LDAP error: Invalid credentials]
[error] RuntimeError: Failed to start replication '''
Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors:
''' [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () """
I verified clocks on both Replica and Leader - they show the same time (within 1-2 seconds diff window). In fact, at some point I had Replica taking time straight from Leader, before they were set up to use the other common source. I dumped traffic between Leader and Replica - indeed, Leader tried to authenticate on Replica and Replica replies "Invalid credentials".
I googled this error and read multiple email threads but nothing helped so far. Replica works fine as IPA client but can't get promoted to a replica.
What am I missing?
Thanks!
-- Khankin Konstantin
Hi!
Bumping this thread. Anyone has any ideas?
Thanks!
вс, 9 авг. 2020 г., 08:23 Konstantin M. Khankin < khankin.konstantin@gmail.com>:
Hi!
I run IPA on CentOS 7. I have two servers (Leader and Replica, though they changed roles couple times because of reinstalls), had ca and domain services on both of them, replication set up and working. I had to switch off Replica for 6 months. When I turned it on recently, I found expired certificates, couldn't fix them easily and lost the old Replica - at least I concluded it was easier to reinstate the Replica than to detangle the mess I made while was trying to back out of outdated certs. I hit the same error as I do now though - Invalid Credentials (49).
So I did the following:
- on Replica - ipa-server-install --uninstall.
- on Leader - ipa-replica-manage del --force --clean Replica.
- removed obsolete replication agreement meToReplica from Leader.
- removed all traces of Replica from DNS.
Then I started to install Replica from scratch:
- ipa-client-install
- ipa-replica-install --setup-ca --setup-dns --forwarder X --forwarder Y
Installation consistently fails with:
''' Run connection check to master Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds <...> [29/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 16 seconds elapsed [ldap://Leader:389] reports: Update failed! Status: [Error (49) - LDAP error: Invalid credentials]
[error] RuntimeError: Failed to start replication '''
Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors:
''' [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () """
I verified clocks on both Replica and Leader - they show the same time (within 1-2 seconds diff window). In fact, at some point I had Replica taking time straight from Leader, before they were set up to use the other common source. I dumped traffic between Leader and Replica - indeed, Leader tried to authenticate on Replica and Replica replies "Invalid credentials".
I googled this error and read multiple email threads but nothing helped so far. Replica works fine as IPA client but can't get promoted to a replica.
What am I missing?
Thanks!
-- Khankin Konstantin
Konstantin M. Khankin via FreeIPA-users wrote:
Hi!
Bumping this thread. Anyone has any ideas?
I'd uninstall the replica and ensure that all remnants are gone with:
$ ipa server-del <host> $ ipa host-del <host>
And if you're extra paranoid do an LDIF dump of the database sift thru that.
rob
Thanks!
вс, 9 авг. 2020 г., 08:23 Konstantin M. Khankin <khankin.konstantin@gmail.com mailto:khankin.konstantin@gmail.com>:
Hi! I run IPA on CentOS 7. I have two servers (Leader and Replica, though they changed roles couple times because of reinstalls), had ca and domain services on both of them, replication set up and working. I had to switch off Replica for 6 months. When I turned it on recently, I found expired certificates, couldn't fix them easily and lost the old Replica - at least I concluded it was easier to reinstate the Replica than to detangle the mess I made while was trying to back out of outdated certs. I hit the same error as I do now though - Invalid Credentials (49). So I did the following: 1) on Replica - ipa-server-install --uninstall. 2) on Leader - ipa-replica-manage del --force --clean Replica. 3) removed obsolete replication agreement meToReplica from Leader. 4) removed all traces of Replica from DNS. Then I started to install Replica from scratch: 1) ipa-client-install 2) ipa-replica-install --setup-ca --setup-dns --forwarder X --forwarder Y Installation consistently fails with: ''' Run connection check to master Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds <...> [29/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 16 seconds elapsed [ldap://Leader:389] reports: Update failed! Status: [Error (49) - LDAP error: Invalid credentials] [error] RuntimeError: Failed to start replication ''' Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors: ''' [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () """ I verified clocks on both Replica and Leader - they show the same time (within 1-2 seconds diff window). In fact, at some point I had Replica taking time straight from Leader, before they were set up to use the other common source. I dumped traffic between Leader and Replica - indeed, Leader tried to authenticate on Replica and Replica replies "Invalid credentials". I googled this error and read multiple email threads but nothing helped so far. Replica works fine as IPA client but can't get promoted to a replica. What am I missing? Thanks! -- Khankin Konstantin
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
TL;DR: Unfortunately this doesn't help. I see this on Replica when running 'ipa-server-install --uninstall': u'nsds5replicaLastUpdateStatus': ['Error (19) Replication error acquiring replica: Replica has different database generation ID, remote replica may need to be initialized (RUV error)']. Does this give any hints?
[root@leader ~]# kinit admin Password for admin@DOMAIN: [root@leader ~]# ipa server-del Replica Removing Replica from replication topology, please wait... ipa: ERROR: Replica: server not found [root@leader ~]# ipa server-del Replica.domain Removing Replica.domain from replication topology, please wait... ipa: ERROR: Replica.domain: server not found [root@leader ~]# ipa host-del Replica ipa: ERROR: Replica: host not found [root@leader ~]# ipa host-del Replica.domain ipa: ERROR: Replica.domain: host not found
[root@leader ~]# ipa-replica-manage list Leader.domain: master
[root@replica ~]# ipa-replica-manage list Unknown host Replica.domain: Host 'Replica.domain' does not have corresponding DNS A/AAAA record [root@replica ~]# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes [LDAPEntry(ipapython.dn.DN('cn=meToLeader.domain,cn=replica,cn=dc=domain,cn=mapping tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': ['meToLeader.domain'], u'objectClass': ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain'], u'nsDS5ReplicaHost': ['leader.domain'], u'nsds5replicaLastUpdateStatus': ['Error (19) Replication error acquiring replica: Replica has different database generation ID, remote replica may need to be initialized (RUV error)'], u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to leader.domain'], u'nsds5replicareapactive': ['0'], u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]
Replication agreements with the following IPA masters found: leader.domain. Removing any replication agreements before uninstalling the server is strongly recommended. You can remove replication agreements by running the following command on any other IPA master: $ ipa-replica-manage del replica.domain
Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring directory server ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-DOMAIN/dse.ldif Removing IPA client configuration Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. The ipa-client-install command was successful
And after that ipa-replica-install fails as before.
вт, 18 авг. 2020 г. в 23:56, Rob Crittenden rcritten@redhat.com:
Konstantin M. Khankin via FreeIPA-users wrote:
Hi!
Bumping this thread. Anyone has any ideas?
I'd uninstall the replica and ensure that all remnants are gone with:
$ ipa server-del <host> $ ipa host-del <host>
And if you're extra paranoid do an LDIF dump of the database sift thru that.
rob
Thanks!
вс, 9 авг. 2020 г., 08:23 Konstantin M. Khankin <khankin.konstantin@gmail.com mailto:khankin.konstantin@gmail.com>:
Hi! I run IPA on CentOS 7. I have two servers (Leader and Replica, though they changed roles couple times because of reinstalls), had ca and domain services on both of them, replication set up and working. I had to switch off Replica for 6 months. When I turned it on recently, I found expired certificates, couldn't fix them easily and lost the old Replica - at least I concluded it was easier to reinstate the Replica than to detangle the mess I made while was trying to back out of outdated certs. I hit the same error as I do now though - Invalid Credentials (49). So I did the following: 1) on Replica - ipa-server-install --uninstall. 2) on Leader - ipa-replica-manage del --force --clean Replica. 3) removed obsolete replication agreement meToReplica from Leader. 4) removed all traces of Replica from DNS. Then I started to install Replica from scratch: 1) ipa-client-install 2) ipa-replica-install --setup-ca --setup-dns --forwarder X --forwarder Y Installation consistently fails with: ''' Run connection check to master Connection check OK Configuring directory server (dirsrv). Estimated time: 30 seconds <...> [29/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 16 seconds elapsed [ldap://Leader:389] reports: Update failed! Status: [Error (49) - LDAP error: Invalid credentials] [error] RuntimeError: Failed to start replication ''' Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors: ''' [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () """ I verified clocks on both Replica and Leader - they show the same time (within 1-2 seconds diff window). In fact, at some point I had Replica taking time straight from Leader, before they were set up to use the other common source. I dumped traffic between Leader and Replica - indeed, Leader tried to authenticate on Replica and Replica replies "Invalid credentials". I googled this error and read multiple email threads but nothing helped so far. Replica works fine as IPA client but can't get promoted to a replica. What am I missing? Thanks! -- Khankin Konstantin
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 8/19/20 9:52 PM, Konstantin M. Khankin via FreeIPA-users wrote:
TL;DR: Unfortunately this doesn't help. I see this on Replica when running 'ipa-server-install --uninstall': u'nsds5replicaLastUpdateStatus': ['Error (19) Replication error acquiring replica: Replica has different database generation ID, remote replica may need to be initialized (RUV error)']. Does this give any hints?
[root@leader ~]# kinit admin Password for admin@DOMAIN: [root@leader ~]# ipa server-del Replica Removing Replica from replication topology, please wait... ipa: ERROR: Replica: server not found [root@leader ~]# ipa server-del Replica.domain Removing Replica.domain from replication topology, please wait... ipa: ERROR: Replica.domain: server not found [root@leader ~]# ipa host-del Replica ipa: ERROR: Replica: host not found [root@leader ~]# ipa host-del Replica.domain ipa: ERROR: Replica.domain: host not found
[root@leader ~]# ipa-replica-manage list Leader.domain: master
[root@replica ~]# ipa-replica-manage list Unknown host Replica.domain: Host 'Replica.domain' does not have corresponding DNS A/AAAA record
Hi, can you try the following command on leader: ipa server-del Replica.domain --force
Then as Rob suggested you can look in the LDAP server if there are any remaining entries referring to Replica: ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap > /tmp/db.ldif ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap -b cn=config > /tmp/config.ldif
Look for "Replica.domain" in the ldif files, and if needed use ldapmodify or you preferred ldap client tool to remove the entries/attributes.
flo
[root@replica ~]# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes [LDAPEntry(ipapython.dn.DN('cn=meToLeader.domain,cn=replica,cn=dc=domain,cn=mapping tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': ['meToLeader.domain'], u'objectClass': ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain'], u'nsDS5ReplicaHost': ['leader.domain'], u'nsds5replicaLastUpdateStatus': ['Error (19) Replication error acquiring replica: Replica has different database generation ID, remote replica may need to be initialized (RUV error)'], u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to leader.domain'], u'nsds5replicareapactive': ['0'], u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]
Replication agreements with the following IPA masters found: leader.domain. Removing any replication agreements before uninstalling the server is strongly recommended. You can remove replication agreements by running the following command on any other IPA master: $ ipa-replica-manage del replica.domain
Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring directory server ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-DOMAIN/dse.ldif Removing IPA client configuration Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. The ipa-client-install command was successful
And after that ipa-replica-install fails as before.
вт, 18 авг. 2020 г. в 23:56, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Konstantin M. Khankin via FreeIPA-users wrote: > Hi! > > Bumping this thread. Anyone has any ideas? I'd uninstall the replica and ensure that all remnants are gone with: $ ipa server-del <host> $ ipa host-del <host> And if you're extra paranoid do an LDIF dump of the database sift thru that. rob > > Thanks! > > > вс, 9 авг. 2020 г., 08:23 Konstantin M. Khankin > <khankin.konstantin@gmail.com <mailto:khankin.konstantin@gmail.com> <mailto:khankin.konstantin@gmail.com <mailto:khankin.konstantin@gmail.com>>>: > > Hi! > > I run IPA on CentOS 7. I have two servers (Leader and Replica, > though they changed roles couple times because of reinstalls), had > ca and domain services on both of them, replication set up and > working. I had to switch off Replica for 6 months. When I turned it > on recently, I found expired certificates, couldn't fix them easily > and lost the old Replica - at least I concluded it was easier to > reinstate the Replica than to detangle the mess I made while was > trying to back out of outdated certs. I hit the same error as I do > now though - Invalid Credentials (49). > > So I did the following: > > 1) on Replica - ipa-server-install --uninstall. > 2) on Leader - ipa-replica-manage del --force --clean Replica. > 3) removed obsolete replication agreement meToReplica from Leader. > 4) removed all traces of Replica from DNS. > > Then I started to install Replica from scratch: > > 1) ipa-client-install > 2) ipa-replica-install --setup-ca --setup-dns --forwarder X > --forwarder Y > > Installation consistently fails with: > > ''' > Run connection check to master > Connection check OK > Configuring directory server (dirsrv). Estimated time: 30 seconds > <...> > [29/42]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 16 seconds elapsed > [ldap://Leader:389] reports: Update failed! Status: [Error (49) - > LDAP error: Invalid credentials] > > [error] RuntimeError: Failed to start replication > ''' > > Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors: > > ''' > [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - > agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with > GSSAPI auth failed: LDAP error 49 (Invalid credentials) () > """ > > I verified clocks on both Replica and Leader - they show the same > time (within 1-2 seconds diff window). In fact, at some point I had > Replica taking time straight from Leader, before they were set up to > use the other common source. I dumped traffic between Leader and > Replica - indeed, Leader tried to authenticate on Replica and > Replica replies "Invalid credentials". > > I googled this error and read multiple email threads but nothing > helped so far. Replica works fine as IPA client but can't get > promoted to a replica. > > What am I missing? > > Thanks! > > -- > Khankin Konstantin > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
-- Ханкин Константин
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thank you, that worked. I'm now having issues passing the pki-tomcatd installation but that's another issue.
пт, 21 авг. 2020 г. в 11:17, Florence Blanc-Renaud flo@redhat.com:
On 8/19/20 9:52 PM, Konstantin M. Khankin via FreeIPA-users wrote:
TL;DR: Unfortunately this doesn't help. I see this on Replica when running 'ipa-server-install --uninstall': u'nsds5replicaLastUpdateStatus': ['Error (19) Replication error acquiring replica: Replica has different database generation ID, remote replica may need to be initialized (RUV error)']. Does this give any hints?
[root@leader ~]# kinit admin Password for admin@DOMAIN: [root@leader ~]# ipa server-del Replica Removing Replica from replication topology, please wait... ipa: ERROR: Replica: server not found [root@leader ~]# ipa server-del Replica.domain Removing Replica.domain from replication topology, please wait... ipa: ERROR: Replica.domain: server not found [root@leader ~]# ipa host-del Replica ipa: ERROR: Replica: host not found [root@leader ~]# ipa host-del Replica.domain ipa: ERROR: Replica.domain: host not found
[root@leader ~]# ipa-replica-manage list Leader.domain: master
[root@replica ~]# ipa-replica-manage list Unknown host Replica.domain: Host 'Replica.domain' does not have corresponding DNS A/AAAA record
Hi, can you try the following command on leader: ipa server-del Replica.domain --force
Then as Rob suggested you can look in the LDAP server if there are any remaining entries referring to Replica: ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap > /tmp/db.ldif ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap -b cn=config > /tmp/config.ldif
Look for "Replica.domain" in the ldif files, and if needed use ldapmodify or you preferred ldap client tool to remove the entries/attributes.
flo
[root@replica ~]# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and configuration! It is highly recommended to take a backup of existing data and configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes
[LDAPEntry(ipapython.dn.DN('cn=meToLeader.domain,cn=replica,cn=dc=domain,cn=mapping
tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'], u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn': ['meToLeader.domain'], u'objectClass': ['nsds5replicationagreement', 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'], u'nsDS5ReplicaRoot': ['dc=domain'], u'nsDS5ReplicaHost': ['leader.domain'], u'nsds5replicaLastUpdateStatus': ['Error (19) Replication error acquiring replica: Replica has different database generation ID, remote replica may need to be initialized (RUV error)'], u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs': ['modifiersName modifyTimestamp internalModifiersName internalModifyTimestamp'], u'nsds5replicaLastUpdateStart': ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'], u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to leader.domain'], u'nsds5replicareapactive': ['0'], u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout': ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'], u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]
Replication agreements with the following IPA masters found:
leader.domain.
Removing any replication agreements before uninstalling the server is strongly recommended. You can remove replication agreements by running the
following
command on any other IPA master: $ ipa-replica-manage del replica.domain
Are you sure you want to continue with the uninstall procedure? [no]: yes Shutting down all IPA services Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring directory server ipaserver.install.dsinstance: ERROR Unable to find server cert nickname in /etc/dirsrv/slapd-DOMAIN/dse.ldif Removing IPA client configuration Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted Restoring client configuration files Unconfiguring the NIS domain. nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Systemwide CA database updated. Client uninstall complete. The ipa-client-install command was successful
And after that ipa-replica-install fails as before.
вт, 18 авг. 2020 г. в 23:56, Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com>:
Konstantin M. Khankin via FreeIPA-users wrote: > Hi! > > Bumping this thread. Anyone has any ideas? I'd uninstall the replica and ensure that all remnants are gone with: $ ipa server-del <host> $ ipa host-del <host> And if you're extra paranoid do an LDIF dump of the database sift thru that. rob > > Thanks! > > > вс, 9 авг. 2020 г., 08:23 Konstantin M. Khankin > <khankin.konstantin@gmail.com <mailto:khankin.konstantin@gmail.com> <mailto:khankin.konstantin@gmail.com <mailto:khankin.konstantin@gmail.com>>>: > > Hi! > > I run IPA on CentOS 7. I have two servers (Leader and Replica, > though they changed roles couple times because of reinstalls), had > ca and domain services on both of them, replication set up and > working. I had to switch off Replica for 6 months. When I turned it > on recently, I found expired certificates, couldn't fix them easily > and lost the old Replica - at least I concluded it was easier
to
> reinstate the Replica than to detangle the mess I made while
was
> trying to back out of outdated certs. I hit the same error as I do > now though - Invalid Credentials (49). > > So I did the following: > > 1) on Replica - ipa-server-install --uninstall. > 2) on Leader - ipa-replica-manage del --force --clean Replica. > 3) removed obsolete replication agreement meToReplica from Leader. > 4) removed all traces of Replica from DNS. > > Then I started to install Replica from scratch: > > 1) ipa-client-install > 2) ipa-replica-install --setup-ca --setup-dns --forwarder X > --forwarder Y > > Installation consistently fails with: > > ''' > Run connection check to master > Connection check OK > Configuring directory server (dirsrv). Estimated time: 30
seconds
> <...> > [29/42]: setting up initial replication > Starting replication, please wait until this has completed. > Update in progress, 16 seconds elapsed > [ldap://Leader:389] reports: Update failed! Status: [Error (49) - > LDAP error: Invalid credentials] > > [error] RuntimeError: Failed to start replication > ''' > > Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors: > > ''' > [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - > agmt="cn=meToReplica.domain" (Replica:389) - Replication bind with > GSSAPI auth failed: LDAP error 49 (Invalid credentials) () > """ > > I verified clocks on both Replica and Leader - they show the
same
> time (within 1-2 seconds diff window). In fact, at some point I had > Replica taking time straight from Leader, before they were set up to > use the other common source. I dumped traffic between Leader
and
> Replica - indeed, Leader tried to authenticate on Replica and > Replica replies "Invalid credentials". > > I googled this error and read multiple email threads but
nothing
> helped so far. Replica works fine as IPA client but can't get > promoted to a replica. > > What am I missing? > > Thanks! > > -- > Khankin Konstantin > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
>
-- Ханкин Константин
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org