I inherited a freeipa cluster, hand cranked and all of that. For some reason, the wrong schema was replicated from a bad server that I was trying to add to the cluster using ipa-replica-install to a working one. 10% of ipa servers are left and I am afraid I may lose them. Before this disaster, a coworker was upgrading freeipa servers using with --skip-version-check. Some servers have 4.9.13-12.module+el8, others have 4.9.13-18.module+el8. the following is a snippet of multiple error lines

ERR - NSACLPlugin - __aclp__init_targetattr - targetattr

“ipauserdefaultsubordinateid” does not exist in schema. Please add attributeTypes “ipauserdefaultsubordinateid” to schema if necessary. ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr = "cn ERR - NSACLPlugin - __aclinit_handler - This ((targetattr = “cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipadomainresolutionorder || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxhostnamelength || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserdefaultsubordinateid || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass”)(targetfilter = “(objectclass=ipaguiconfig)”)(version 3.0;acl “permission:System: Read Global Configuration”;allow (compare,read,search) userdn = “ldap:///all”;)) ACL will not be considered for evaluation because of syntax errors. ERR - NSACLPlugin - __aclp__init_targetattr - targetattr “ipaautoprivategroups” does not exist in schema. Please add attributeTypes “ipaautoprivategroups” to schema if necessary. ERR - NSACLPlugin - acllist_insert_aci_needsLock_ext - ACL PARSE ERR(rv=-5): (targetattr = "cn ERR - NSACLPlugin - __aclinit_handler - This ((targetattr = “cn || createtimestamp || entryusn || ipaautoprivategroups || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass”)(targetfilter = “(objectclass=ipaidrange)”)(version 3.0;acl “permission:System: Read ID Ranges”;allow (compare,read,search) userdn = “ldap:///all”;)) ACL will not be considered for evaluation because of syntax errors. WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist INFO - slapi_vattrspi_regattr - Because krbPwdPolicyReference is a new registered virtual attribute , nsslapd-ignore-virtual-attrs was set to ‘off’ ERR - cos-plugin - cos_dn_defs_cb - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=example,dc=com–no CoS Templates found, which should be added before the CoS Definition.

I am not sure where to begin, I am kind of lost. Help is appreciated.