Dear FreeIPA Community,
We're having a problem joining a host to an IPA realm.
We created a host account in the realm and added that host to the IPA replicas group.
We installed the ipa-client and ipa-server RPMS on the incoming replica (host2). Using ipa-client-install then used ipa-replica-install to upgrade it to a replica, the data replication phase inside the replica-install process failed because the time on the replica was many hours in advance of the existing master/replica in the realm.
In other failed installs where this occurs (typically VM development environments where snapshotting is frequent), we've had success forcing removal of the failed replica using ipa host-del <hostname> --force, or of necessary a 'ipa-replica-manage clean-dangling-ruv' or 'ipa-replica-manage clean-ruv <n>' to help remove left-over data. Should that fail, manually removing the LDAP entry corresponding to the incoming host is necessary, the stale entry is; cn=meTohost2.system,cn=replica,cn=dc\3Dsystem,cn=mapping tree,cn=config
When we attempt to delete that entry in the LDAP tree, 389-ds rejects the operation and logs the message; "RESULT err=53 tag=107 nentries=0 etime=0.0002043881 - Entry is managed by topology plugin.Deletion not allowed".
How can we remove data from the replica to attempt to re-join the failed host?
Both the incoming replica and existing realm master/replica are running CentOS 7.6; ipa-client-4.6.4-10.el7.centos.3.x86_64 ipa-client-common-4.6.4-10.el7.centos.3.noarch ipa-common-4.6.4-10.el7.centos.3.noarch ipa-server-4.6.4-10.el7.centos.3.x86_64 ipa-server-common-4.6.4-10.el7.centos.3.noarch
Thanks in advance, Rob
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
On 11/25/20 6:21 AM, Robert.Mattson--- via FreeIPA-users wrote:
Dear FreeIPA Community,
We’re having a problem joining a host to an IPA realm.
We created a host account in the realm and added that host to the IPA replicas group.
We installed the ipa-client and ipa-server RPMS on the incoming replica (host2). Using ipa-client-install then used ipa-replica-install to upgrade it to a replica, the data replication phase inside the replica-install process failed because the time on the replica was many hours in advance of the existing master/replica in the realm.
In other failed installs where this occurs (typically VM development environments where snapshotting is frequent), we’ve had success forcing removal of the failed replica using ipa host-del <hostname> --force, or of necessary a ‘ipa-replica-manage clean-dangling-ruv’ or ‘ipa-replica-manage clean-ruv <n>’ to help remove left-over data. Should that fail, manually removing the LDAP entry corresponding to the incoming host is necessary, the stale entry is;
cn=meTohost2.system,cn=replica,cn=dc\3Dsystem,cn=mapping tree,cn=config
When we attempt to delete that entry in the LDAP tree, 389-ds rejects the operation and logs the message; “RESULT err=53 tag=107 nentries=0 etime=0.0002043881 - Entry is managed by topology plugin.Deletion not allowed�.
How can we remove data from the replica to attempt to re-join the failed host?
Hi,
if the replica installation went far enough before failing, the command ipa host-del is not adapted anymore and # ipa-replica-manage del <host> --cleanup --force must be used instead.
Note that this is the "old" way of deleting replicas, and new commands were introduced with domain-level 1: ipa topologysegment-*. Please see the official doc for more information: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
HTH, flo
Both the incoming replica and existing realm master/replica are running CentOS 7.6;
ipa-client-4.6.4-10.el7.centos.3.x86_64
ipa-client-common-4.6.4-10.el7.centos.3.noarch
ipa-common-4.6.4-10.el7.centos.3.noarch
ipa-server-4.6.4-10.el7.centos.3.x86_64
ipa-server-common-4.6.4-10.el7.centos.3.noarch
Thanks in advance,
Rob
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org