[Freeipa-users] Re: How to blend IPA server 4.1.4 on F21 with server 4.6.8 on C7?

Wed, 23 Jun 2021 04:43:43 -0700 


-- 
  Bret Wortman
  bret.wort...@damascusgrp.com

On Wed, Jun 23, 2021, at 6:27 AM, Bret Wortman via FreeIPA-users wrote:
> On Wed, Jun 23, 2021, at 5:27 AM, Bret Wortman via FreeIPA-users wrote:
> > Now, this morning, I've hit the wall on this yet again.
> > 
> > [root@ipa2c7 ~]# ipa-replica-manage list
> > ipa2c7.our.net: master
> > [root@ipa2c7 ~]# ipa-replica-manage list-ruv
> > Directory Manager password: 
> > 
> > unable to decode: {replica 13} 60b907570001000d0000 60b907570001000d0000
> > unable to decode: {replica 14} 60b923030002000e0000 60b923030002000e0000
> > unable to decode: {replica 21} 60cb27ed000600150000 60cb27ed000600150000
> > unable to decode: {replica 24} 60cc5b11000400180000 60cc5b11000400180000
> > unable to decode: {replica 17} 60be13a5000000110000 60be13c9000700110000
> > unable to decode: {replica 18} 60bf4aec000000120000 60c07065000200120000
> > unable to decode: {replica 5} 53722a35000000050000 5a11c065000000050000
> > Replica Update Vectors:
> >   ipa2c7.our.net:389: 26
> > Certificate Server Replica Update Vectors:
> >   ipa2c7.our.net:389: 91
> > [root@ipa2c7 ~]# dsctl slapd-OUR-NET db2ldif --replication userRoot 
> > /root/userroot.ldif
> > -bash: dsctl: command not found
> > [root@ipa2c7 ~]# db2ldif -n userRoot -Z OUR-NET -a /root/userroot.ldif
> > Exported ldif file: /root/userroot.ldif
> > ldiffile: /root/userroot.ldif
> > [root@ipa2c7 ~]# ls /root/userroot.ldif
> > ls: cannot access /root/userroot.ldif: No such file or directory
> > [root@ipa2c7 ~]# ipa domainlevel-set 1
> > ipa: ERROR: Domain Level cannot be raised to 1, existing replication 
> > conflicts have to be resolved.
> > [root@ipa2c7 ~]# rpm -qa | grep ipa-server
> > ipa-server-4.6.8-5.el7.centos.6.x86_64
> > ipa-server-dns-4.6.8-5.el7.centos.6.noarch
> > ipa-server-common-4.6.8-5.el7.centos.6.noarch
> > [root@ipa2c7 ~]# rpm -qa | grep 389
> > 389-ds-base-libs-1.3.10.2-12.el7_9.x86_64
> > 389-ds-base-1.3.10.2-12.el7_9.x86_64
> > [root@ipa2c7 ~]# 
> > 
> > What this seems to tell me is that I need a way to remove those 
> > replicas, but when I try them by number I don't get very far:
> > 
> > [root@ipa2c7 ~]# ipa-replica-manage clean-ruv 5
> > Directory Manager password: 
> > 
> > unable to decode: {replica 13} 60b907570001000d0000 60b907570001000d0000
> > unable to decode: {replica 14} 60b923030002000e0000 60b923030002000e0000
> > unable to decode: {replica 21} 60cb27ed000600150000 60cb27ed000600150000
> > unable to decode: {replica 24} 60cc5b11000400180000 60cc5b11000400180000
> > unable to decode: {replica 17} 60be13a5000000110000 60be13c9000700110000
> > unable to decode: {replica 18} 60bf4aec000000120000 60c07065000200120000
> > unable to decode: {replica 5} 53722a35000000050000 5a11c065000000050000
> > Replica ID 5 not found
> > 
> > I'd try interacting with the LDAP directly but I can't get an LDIF 
> > using db2ldif either with dsctl or without it (because I don't have 
> > dsctl and "yum provides */dsctl" returns no hits so I'm not sure where 
> > it comes from).
> 
> Scratch this last; it was a permissions error when trying to write the 
> output file. But I'm not sure that's going to help me remove these 
> "unable to decode" replicas.

In fact, it seems that ipa2c7 doesn't want to delete the replica because it 
thinks is still has a replication agreement with ipa2, but none of the usual 
tools let me get in there and remove it.

[root@ipa2c7 slapd-OUR-NET]# ipa-replica-manage del ipa2.our.net
Connection to 'ipa2.our.net' failed: cannot connect to 
'ldaps://ipa2.our.net:636': 
Unable to delete replica 'ipa2.our.net'
[root@ipa2c7 slapd-OUR-NET]# ipa server-del ipa2.our.net
Removing ipa2.our.net from replication topology, please wait...
ipa: ERROR: ipa2.our.net: server not found
[root@ipa2c7 slapd-OUR-NET]# [23/Jun/2021:11:37:18.017970634 +0000] - ERR - 
NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipa2.our.net" 
(ipa2:389) - Replication bind with GSSAPI auth failed: LDAP error -1 (Can't 
contact LDAP server) ()
[23/Jun/2021:11:37:18.027255085 +0000] - NOTICE - NSMMReplicationPlugin - 
CleanAllRUV Task (rid 5): Replica not online (agmt="cn=meToipa2.our.net" 
(ipa2:389)) 
[23/Jun/2021:11:37:18.028593839 +0000] - NOTICE - NSMMReplicationPlugin - 
CleanAllRUV Task (rid 5): Not all replicas online, retrying in 160 seconds... 

Is this, then, a case where I need to go back and use ldapdelete to remove any 
entry that has a reference to ipa2.our.net?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to