[Freeipa-users] Deleting this server is not allowed as it would leave your installation without a KRA.

Sun, 21 Nov 2021 09:07:36 -0800 

Hi,

I'm about to decomission one of my IPA replicas running on up to date
fedora 35 (freeipa-server-common-4.9.7-4.fc35.noarch). On my CA renewal
master (freeipa1.example.org) I try to remove freeipa4.example.org:

[root@freeipa1 ~]# ipa server-del freeipa4.example.org
Removing freeipa4.example.org from replication topology, please wait...
ipa: ERROR: Server removal aborted: Deleting this server is not allowed as it 
would leave your installation without a KRA..

I think the message is wrong:

[root@freeipa1 ~]# ipa server-role-find --role="KRA server" --status=enabled
----------------------
4 server roles matched
----------------------
  Server name: freeipa1.example.org
  Role name: KRA server
  Role status: enabled

  Server name: freeipa2.example.org
  Role name: KRA server
  Role status: enabled

  Server name: freeipa3.example.org
  Role name: KRA server
  Role status: enabled

  Server name: freeipa4.example.org
  Role name: KRA server
  Role status: enabled
----------------------------
Number of entries returned 4
----------------------------

I had a took at plugins/server.py:

 509         if self.api.Command.ca_is_enabled()['result']:
 510             try:
 511                 roles = self.api.Command.server_role_find(
 512                     server_server=hostname,

=====> Do we really need to search for the hostname here?  We will
always find out that there is only one server left...  When I remove
that parameter deletion would continue - but I didn't really run the
rest of the deletion yet.

ipa server-role-find --server=freeipa4.example.org --role="KRA server"
really returns one entry.

 513                     role_servrole='KRA server',
 514                     status='enabled',
 515                     include_master=True,
 516                 )['result']
 517             except errors.NotFound:
 518                 roles = ()
 519             if len(roles) == 1 and roles[0]['server_server'] == hostname:
 520                 handler(
 521                     _("Deleting this server is not allowed as it would "
 522                       "leave your installation without a KRA."),
 523                     ignore_last_of_role)

The commit that added the code was
https://github.com/freeipa/freeipa/commit/10bd66dd1a14fc0bd39c489d0d0af76b0f720c96
and should fix https://pagure.io/freeipa/issue/8397

Do I miss something else?

Jochen

-- 
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to