What I have done now was to add a new server, ipa02 and configured replication again and things are fine.
However on IPA1 the 389 ds error logs have reference to the dead ipa2 replica. [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - agmt="cn= meToipa2.example.net" (ipa2:389): Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact LDAP server) () [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid 6): Failed to connect to replica(agmt="cn=meToipa2.example.net" (ipa2:389)). [07/Apr/2016:04:13:11 +0000] NSMMReplicationPlugin - Abort CleanAllRUV Task (rid 6): Retrying in 14400 seconds It will never be able to connect to ipa2 as its gone permanently. Also the ipa-replica-manage list `hostname` command still shows the ipa2 as replica. How to remove this permanently ??? Thanks. --Prashant On 6 April 2016 at 22:17, Prashant Bapat <prash...@apigee.com> wrote: > # ipa-replica-manage list `hostname` > ipa2.example.net: replica > ipa3.example.net: replica > ipa4.example.net: replica > > ipa2.example.net should not be there. How do I remove it? > > On 6 April 2016 at 18:55, Rob Crittenden <rcrit...@redhat.com> wrote: > >> Prashant Bapat wrote: >> >>> Hi, >>> >>> We had 4 IPA servers in master master mode with all of them connected to >>> each other. >>> >>> IPA1 <----> IPA2 (colo 1) >>> IPA3 <----> IPA4 (colo 2) >>> >>> One of the replica servers (IPA2) had to be rebuild. >>> >>> So I went ahead and used below commands. >>> >>> ipa-replica-manage disconnect IPA2 IPA3 >>> ipa-replica-manage disconnection IPA2 IPA4 >>> ipa-replica-manage del IPA2 (to remove it on IPA1). >>> >>> An then ran ipa-server-install --uninstallon IPA2. >>> >>> Created the replica info file using ipa-replica-prepare IPA2. >>> >>> When I tried to run ipa-replica-install on IPA2, it says >>> >>> A replication agreement for this host already exists. It needs to be >>> removed. >>> Run this on the master that generated the info file: >>> % ipa-replica-manage del ipa2.example.net <http://ipa2.example.net> >>> --force >>> >>> Now on IPA1, no matter what I do it still has references to IPA2. >>> >>> So far I have tried the following. >>> >>> 1. ipa-replica-manage del --force IPA2 >>> 2. ipa-replica-manage del --force --cleanruv IPA2 >>> 3. /usr/sbin/cleanallruv.pl <http://cleanallruv.pl> -D "cn=directory >>> manager" -w - -b "dc=example,dc=net" -r 6 >>> >>> >>> Got the rid = 6 by running >>> ldapsearch -Y GSSAPI -b "dc=example,dc=net" >>> >>> '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' >>> nsds50ruv >>> >>> In the directory server logs, I guess its still trying to connect to >>> IPA2 and failing. Below are some lines. >>> >>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - >>> agmt="cn=meToipa2.example.net <http://meToipa2.example.net>" (ipa2:389): >>> Replication bind with GSSAPI auth failed: LDAP error -1 (Can't contact >>> LDAP server) () >>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task >>> (rid 6): Replica not online (agmt="cn=meToipa2.example.net >>> <http://meToipa2.example.net>" (ipa2:389)) >>> [06/Apr/2016:10:18:09 +0000] NSMMReplicationPlugin - CleanAllRUV Task >>> (rid 6): Not all replicas online, retrying in 2560 seconds... >>> >>> Any pointers would be helpful. >>> >> >> On ipa1 run: >> >> % ipa-replica-manage list -v `hostname` >> >> This will give the list of actual agreements and their status. >> >> rob >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project