I'm trying to update our IPA servers to newer OSes and IPA versions. What I've done so far:
1. run "ipa-replica-prepare" on the original main server, ipa1. 2. Copied the resulting file to ipa1c7. 3. Tried to import that file via "ipa-replica-install replica-info-ipa2c7.our.net.gpg --skip-conncheck --setup-dns --auto-forwarders". This typically fails:
===========
[root@ipa2c7 ~]# ipa-replica-install replica-info-ipa2c7.our.net.gpg --skip-conncheck --setup-dns --auto-forwarders Directory Manager (existing master) password:
ipaserver.install.server.replicainstall: ERROR Could not resolve hostname ipa1.our.net using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Checking DNS forwarders, please wait ... Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/42]: creating directory server instance [2/42]: enabling ldapi [3/42]: configure autobind for root [4/42]: stopping directory server [5/42]: updating configuration in dse.ldif [6/42]: starting directory server [7/42]: adding default schema [8/42]: enabling memberof plugin [9/42]: enabling winsync plugin [10/42]: configure password logging [11/42]: configuring replication version plugin [12/42]: enabling IPA enrollment plugin [13/42]: configuring uniqueness plugin [14/42]: configuring uuid plugin [15/42]: configuring modrdn plugin [16/42]: configuring DNS plugin [17/42]: enabling entryUSN plugin [18/42]: configuring lockout plugin [19/42]: configuring topology plugin [20/42]: creating indices [21/42]: enabling referential integrity plugin [22/42]: configuring certmap.conf [23/42]: configure new location for managed entries [24/42]: configure dirsrv ccache [25/42]: enabling SASL mapping fallback [26/42]: restarting directory server [27/42]: creating DS keytab [28/42]: ignore time skew for initial replication [29/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded
[30/42]: prevent time skew after initial replication [31/42]: adding sasl mappings to the directory [32/42]: updating schema [33/42]: setting Auto Member configuration [34/42]: enabling S4U2Proxy delegation [35/42]: initializing group membership [36/42]: adding master entry ipaserver.install.service: CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68 [error] CalledProcessError: Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68 ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@ipa2c7 ~]# host ipa1.our.net ipa1.our.net has address 192.168.2.61
===========
So I'm not sure why the DNS query is failing but it appears to be intermittent at best.
Also, after near-misses when the ldap error occurs, I often get informed that we have an existing replication agreement that needs to be removed. When I follow the indicated steps:
===========
[root@ipa1 ~]# ipa-replica-manage del ipa2c7.our.net --force Directory Manager password:
Connection to 'ipa2c7.our.net' failed: Forcing removal of ipa2c7.our.net Skipping calculation to determine if one or more masters would be orphaned. Deleting replication agreements between ipa2c7.our.net and ipa1.our.net, ipa2.our.net, ipa3.our.net Failed to get list of agreements from 'ipa2c7.our.net': Forcing removal on 'ipa1.our.net' Any DNA range on 'ipa2c7.our.net' will be lost Deleted replication agreement from 'ipa1.our.net' to 'ipa2c7.our.net' 'ipa2.our.net' has no replication agreement for 'ipa2c7.our.net' Unable to remove replication agreement for ipa2c7.our.net from ipa2.our.net. Failed to determine agreement type for 'ipa3.our.net': Unable to remove replication agreement for ipa2c7.our.net from ipa3.our.net. Background task created to clean replication data. This may take a while. This may be safely interrupted with Ctrl+C ^C Wait for task interrupted. It will continue to run in the background Failed to cleanup ipa2c7.our.net entries: Not allowed on non-leaf entry You may need to manually remove them from the tree Failed to cleanup ipa2c7.our.net DNS entries: no matching entry found You may need to manually remove them from the tree [root@ipa1 ~]#
===========
Is there something obvious that I've missed?
Bret Wortman via FreeIPA-users wrote:
I'm trying to update our IPA servers to newer OSes and IPA versions. What I've done so far:
- run "ipa-replica-prepare" on the original main server, ipa1.
- Copied the resulting file to ipa1c7.
- Tried to import that file via "ipa-replica-install replica-info-ipa2c7.our.net.gpg --skip-conncheck --setup-dns --auto-forwarders". This typically fails:
===========
[root@ipa2c7 ~]# ipa-replica-install replica-info-ipa2c7.our.net.gpg --skip-conncheck --setup-dns --auto-forwarders Directory Manager (existing master) password:
ipaserver.install.server.replicainstall: ERROR Could not resolve hostname ipa1.our.net using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: yes Checking DNS forwarders, please wait ... Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 30 seconds [1/42]: creating directory server instance [2/42]: enabling ldapi [3/42]: configure autobind for root [4/42]: stopping directory server [5/42]: updating configuration in dse.ldif [6/42]: starting directory server [7/42]: adding default schema [8/42]: enabling memberof plugin [9/42]: enabling winsync plugin [10/42]: configure password logging [11/42]: configuring replication version plugin [12/42]: enabling IPA enrollment plugin [13/42]: configuring uniqueness plugin [14/42]: configuring uuid plugin [15/42]: configuring modrdn plugin [16/42]: configuring DNS plugin [17/42]: enabling entryUSN plugin [18/42]: configuring lockout plugin [19/42]: configuring topology plugin [20/42]: creating indices [21/42]: enabling referential integrity plugin [22/42]: configuring certmap.conf [23/42]: configure new location for managed entries [24/42]: configure dirsrv ccache [25/42]: enabling SASL mapping fallback [26/42]: restarting directory server [27/42]: creating DS keytab [28/42]: ignore time skew for initial replication [29/42]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 3 seconds elapsed Update succeeded
[30/42]: prevent time skew after initial replication [31/42]: adding sasl mappings to the directory [32/42]: updating schema [33/42]: setting Auto Member configuration [34/42]: enabling S4U2Proxy delegation [35/42]: initializing group membership [36/42]: adding master entry ipaserver.install.service: CRITICAL Failed to load master-entry.ldif: Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68 [error] CalledProcessError: Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipapython.admintool: ERROR Command '/usr/bin/ldapmodify -v -f /tmp/tmp2nlWU3 -H ldapi://%2fvar%2frun%2fslapd-OUR-NET.socket -Y EXTERNAL' returned non-zero exit status 68 ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@ipa2c7 ~]# host ipa1.our.net ipa1.our.net has address 192.168.2.61
===========
So I'm not sure why the DNS query is failing but it appears to be intermittent at best.
Also, after near-misses when the ldap error occurs, I often get informed that we have an existing replication agreement that needs to be removed. When I follow the indicated steps:
===========
[root@ipa1 ~]# ipa-replica-manage del ipa2c7.our.net --force Directory Manager password:
Connection to 'ipa2c7.our.net' failed: Forcing removal of ipa2c7.our.net Skipping calculation to determine if one or more masters would be orphaned. Deleting replication agreements between ipa2c7.our.net and ipa1.our.net, ipa2.our.net, ipa3.our.net Failed to get list of agreements from 'ipa2c7.our.net': Forcing removal on 'ipa1.our.net' Any DNA range on 'ipa2c7.our.net' will be lost Deleted replication agreement from 'ipa1.our.net' to 'ipa2c7.our.net' 'ipa2.our.net' has no replication agreement for 'ipa2c7.our.net' Unable to remove replication agreement for ipa2c7.our.net from ipa2.our.net. Failed to determine agreement type for 'ipa3.our.net': Unable to remove replication agreement for ipa2c7.our.net from ipa3.our.net. Background task created to clean replication data. This may take a while. This may be safely interrupted with Ctrl+C ^C Wait for task interrupted. It will continue to run in the background Failed to cleanup ipa2c7.our.net entries: Not allowed on non-leaf entry You may need to manually remove them from the tree Failed to cleanup ipa2c7.our.net DNS entries: no matching entry found You may need to manually remove them from the tree [root@ipa1 ~]#
===========
Is there something obvious that I've missed?
The installation error 68 means Already Exists. I'd suggest digging through your existing server to find all references to this new host, both in dc=example,dc=test and cn=config.
rob
So I started removing ipa2c7 this morning but am not getting very far...
[root@ipa1 httpd]# ipa-replica-manage del ipa2c7.our.net --force Connection to 'ipa2c7.our.net' failed: Forcing removal of ipa2c7.our.net Skipping calculation to determine if one or more masters would be orphaned. Deleting replication agreements between ipa2c7.our.net and ipa1.our.net, ipa2.our.net, ipa3.our.net Failed to get list of agreements from 'ipa2c7.our.net': Forcing removal on 'ipa1.our.net' Any DNA range on 'ipa2c7.our.net' will be lost Deleted replication agreement from 'ipa1.our.net' to 'ipa2c7.our.net' Failed to determine agreement type for 'ipa2.our.net': Unable to remove replication agreement for ipa2c7.our.net from ipa2.our.net. Failed to determine agreement type for 'ipa3.our.net': Unable to remove replication agreement for ipa2c7.our.net from ipa3.our.net. Background task created to clean replication data. This may take a while. This may be safely interrupted with Ctrl+C : ^C Wait for task interrupted. It will continue to run in the background Failed to cleanup ipa2c7.our.net entries: Not allowed on non-leaf entry You may need to manually remove them from the tree Failed to cleanup ipa2c7.our.net DNS entries: no matching entry found You may need to manually remove them from the tree [root@ipa1 httpd]# ipa-replica-manage list ipa2.our.net: master ipa3.our.net: master ipa1.our.net: master ipa2c7.our.net: master
Any suggestions for other ways to remove the replica so I can remove the host and its DNS entries and then see what crud is left behind in LDAP?
Bret Wortman wrote:
So I started removing ipa2c7 this morning but am not getting very far...
[root@ipa1 httpd]# ipa-replica-manage del ipa2c7.our.net --force Connection to 'ipa2c7.our.net' failed: Forcing removal of ipa2c7.our.net Skipping calculation to determine if one or more masters would be orphaned. Deleting replication agreements between ipa2c7.our.net and ipa1.our.net, ipa2.our.net, ipa3.our.net Failed to get list of agreements from 'ipa2c7.our.net': Forcing removal on 'ipa1.our.net' Any DNA range on 'ipa2c7.our.net' will be lost Deleted replication agreement from 'ipa1.our.net' to 'ipa2c7.our.net' Failed to determine agreement type for 'ipa2.our.net': Unable to remove replication agreement for ipa2c7.our.net from ipa2.our.net. Failed to determine agreement type for 'ipa3.our.net': Unable to remove replication agreement for ipa2c7.our.net from ipa3.our.net. Background task created to clean replication data. This may take a while. This may be safely interrupted with Ctrl+C : ^C Wait for task interrupted. It will continue to run in the background Failed to cleanup ipa2c7.our.net entries: Not allowed on non-leaf entry You may need to manually remove them from the tree Failed to cleanup ipa2c7.our.net DNS entries: no matching entry found You may need to manually remove them from the tree [root@ipa1 httpd]# ipa-replica-manage list ipa2.our.net: master ipa3.our.net: master ipa1.our.net: master ipa2c7.our.net: master
Any suggestions for other ways to remove the replica so I can remove the host and its DNS entries and then see what crud is left behind in LDAP?
I'd probably start by exporting to ldif and using simple grep on the data and in /etc/dirsrv/slapd-DOMAIN/dse.ldif to find occurences
Then use something like Apache Studio or ldapmodify/ldapdelete to do the removal.
rob
I tried using ipa-backup but it keeps aborting claiming there's not enough space on the target device but nothing even comes close to 100% usage. Is there another way to export to LDIF?
Bret Wortman wrote:
I tried using ipa-backup but it keeps aborting claiming there's not enough space on the target device but nothing even comes close to 100% usage. Is there another way to export to LDIF?
You can call db2ldif directly with:
# systemctl stop dirsrv.target # dsctl slapd-EXAMPLE-TEST db2ldif --replication userRoot /path/to/file.ldif # systemctl start dirsrv.target
rob
freeipa-users@lists.fedorahosted.org