Hi, I'm about to decomission one of my IPA replicas running on up to date fedora 35 (freeipa-server-common-4.9.7-4.fc35.noarch). On my CA renewal master (freeipa1.example.org) I try to remove freeipa4.example.org:
[root@freeipa1 ~]# ipa server-del freeipa4.example.org Removing freeipa4.example.org from replication topology, please wait... ipa: ERROR: Server removal aborted: Deleting this server is not allowed as it would leave your installation without a KRA.. I think the message is wrong: [root@freeipa1 ~]# ipa server-role-find --role="KRA server" --status=enabled ---------------------- 4 server roles matched ---------------------- Server name: freeipa1.example.org Role name: KRA server Role status: enabled Server name: freeipa2.example.org Role name: KRA server Role status: enabled Server name: freeipa3.example.org Role name: KRA server Role status: enabled Server name: freeipa4.example.org Role name: KRA server Role status: enabled ---------------------------- Number of entries returned 4 ---------------------------- I had a took at plugins/server.py: 509 if self.api.Command.ca_is_enabled()['result']: 510 try: 511 roles = self.api.Command.server_role_find( 512 server_server=hostname, =====> Do we really need to search for the hostname here? We will always find out that there is only one server left... When I remove that parameter deletion would continue - but I didn't really run the rest of the deletion yet. ipa server-role-find --server=freeipa4.example.org --role="KRA server" really returns one entry. 513 role_servrole='KRA server', 514 status='enabled', 515 include_master=True, 516 )['result'] 517 except errors.NotFound: 518 roles = () 519 if len(roles) == 1 and roles[0]['server_server'] == hostname: 520 handler( 521 _("Deleting this server is not allowed as it would " 522 "leave your installation without a KRA."), 523 ignore_last_of_role) The commit that added the code was https://github.com/freeipa/freeipa/commit/10bd66dd1a14fc0bd39c489d0d0af76b0f720c96 and should fix https://pagure.io/freeipa/issue/8397 Do I miss something else? Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure