On 11/25/20 6:21 AM, Robert.Mattson--- via FreeIPA-users wrote:
Dear FreeIPA Community,
We’re having a problem joining a host to an IPA realm.
We created a host account in the realm and added that host to the IPA
replicas group.
We installed the ipa-client and ipa-server RPMS on the incoming replica
(host2). Using ipa-client-install then used ipa-replica-install to
upgrade it to a replica, the data replication phase inside the
replica-install process failed because the time on the replica was many
hours in advance of the existing master/replica in the realm.
In other failed installs where this occurs (typically VM development
environments where snapshotting is frequent), we’ve had success forcing
removal of the failed replica using ipa host-del <hostname> --force, or
of necessary a ‘ipa-replica-manage clean-dangling-ruv’ or
‘ipa-replica-manage clean-ruv <n>’ to help remove left-over data. Should
that fail, manually removing the LDAP entry corresponding to the
incoming host is necessary, the stale entry is;
cn=meTohost2.system,cn=replica,cn=dc\3Dsystem,cn=mapping tree,cn=config
When we attempt to delete that entry in the LDAP tree, 389-ds rejects
the operation and logs the message; “RESULT err=53 tag=107 nentries=0
etime=0.0002043881 - Entry is managed by topology plugin.Deletion not
allowed�.
How can we remove data from the replica to attempt to re-join the failed
host?
Hi,
if the replica installation went far enough before failing, the command
ipa host-del is not adapted anymore and
# ipa-replica-manage del <host> --cleanup --force
must be used instead.
Note that this is the "old" way of deleting replicas, and new commands
were introduced with domain-level 1: ipa topologysegment-*.
Please see the official doc for more information:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
HTH,
flo
Both the incoming replica and existing realm master/replica are
running
CentOS 7.6;
ipa-client-4.6.4-10.el7.centos.3.x86_64
ipa-client-common-4.6.4-10.el7.centos.3.noarch
ipa-common-4.6.4-10.el7.centos.3.noarch
ipa-server-4.6.4-10.el7.centos.3.x86_64
ipa-server-common-4.6.4-10.el7.centos.3.noarch
Thanks in advance,
Rob
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole
use of the intended recipient and may contain material that is
proprietary, confidential, privileged or otherwise legally protected or
restricted under applicable government laws. Any review, disclosure,
distributing or other use without expressed permission of the sender is
strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies without reading, printing, or
saving.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...