Hi All I'm trying to delete replication agreements between a 'master' ipa server and a replica, but it seems the directory server has gotten into a state where the replication agreements can't be removed (or some other stale meta-data is still hanging around).
(CentOS Linux release 7.1.1503, IPA VERSION: 4.1.0, API_VERSION: 2.112) When I try to delete replication agreements between master and replica, I get: --- [root@lolpr-idm-mstr ~]# ipa-replica-manage disconnect lolsitepr-idm-slve.ipa.local 'lolpr-idm-mstr.ipa.local' has no replication agreement for 'lolsitepr-idm-slve.ipa.local' --- However, attempts to re-add the replica with ipa-replica-install ... fails with "The host lolsitepr-idm-slve.ipa.local already exists on the master server" Here is the process I'm following to try and delete the replication agreements: Try to disconnect the ipa master and replica: --- [root@lolpr-idm-mstr ~]# [root@lolpr-idm-mstr ~]# ipa-replica-manage disconnect lolsitepr-idm-slve.ipa.local 'lolpr-idm-mstr.ipa.local' has no replication agreement for 'lolsitepr-idm-slve.ipa.local' [root@lolpr-idm-mstr ~]# --- After re-generating the new .gpg for the replica, copying it to the ipa replica server, try to re-create the ipa replica: --- [root@lolsitepr-idm-slve ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-lolsitepr-idm-slve.ipa.local.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'lolpr-idm-mstr.ipa.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master admin@IDM.LOCAL password: Check SSH connection to remote master Execute check on remote master Check connection from master to remote replica 'lolsitepr-idm-slve.ipa.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. Connection check OK Using reverse zone(s) xxx.yy.zzz.in-addr.arpa. The host lolsitepr-idm-slve.ipa.local already exists on the master server. You should remove it before proceeding: % ipa host-del lolsitepr-idm-slve.ipa.local --- Trying to run "ipa host-del lolsitepr-idm-slve.ipa.local" on the 'master' replica server: --- [root@lolpr-idm-mstr ~]# ipa host-del lolsitepr-idm-slve.ipa.local ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or disabled [root@lolpr-idm-mstr ~]# --- This makes no sense to me, are the differences in versions of IPA between the two hosts? NO: --- Replica: [root@lolsitepr-idm-slve ~]# rpm -qa |grep ipa ipa-client-4.1.0-18.el7.centos.3.x86_64 ipa-server-trust-ad-4.1.0-18.el7.centos.3.x86_64 python-iniparse-0.4-9.el7.noarch libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 ipa-admintools-4.1.0-18.el7.centos.3.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 iniparser-3.1-5.el7.x86_64 ipa-python-4.1.0-18.el7.centos.3.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-1.12.2-58.el7_1.6.x86_64 Master: [root@lolpr-idm-mstr ~]# rpm -qa | grep ipa ipa-client-4.1.0-18.el7.centos.3.x86_64 ipa-server-trust-ad-4.1.0-18.el7.centos.3.x86_64 iniparser-3.1-5.el7.x86_64 libipa_hbac-python-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 ipa-server-4.1.0-18.el7.centos.3.x86_64 python-iniparse-0.4-9.el7.noarch ipa-python-4.1.0-18.el7.centos.3.x86_64 ipa-admintools-4.1.0-18.el7.centos.3.x86_64 libipa_hbac-1.12.2-58.el7_1.6.x86_64 --- So I tried using ipa-replica-manage disconnect: --- [root@lolpr-idm-mstr ~]# ipa-replica-manage disconnect lolsitepr-idm-slve.ipa.local 'lolpr-idm-mstr.ipa.local' has no replication agreement for 'lolsitepr-idm-slve.ipa.local' --- [root@lolpr-idm-mstr ~]# --- How do I force delete the replication agreements between the two hosts in this case? Thanks in advance for any help! Traiano -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project