Nicholas Cross via FreeIPA-users wrote:
I think i have a handle on this now.
There are a number of issues that i am now aware of.
old replication agreement to oldbox1 on newbox6
corrupt RUVs, giving the impression of Ghost Replicas.
For #1 i normally can delete these fine with a ldap command. BUT! running this crashes the dirsrv service.
ldapdelete -D "cn=Directory Manager" -w $pwd -p 389 -h localhost -x "cn=newbox6.ad.dice.fm-to-oldbox1.ad.dice.fm,cn=replica,cn=dc\3Dad\2Cdc\3Dcompanyx\2Cdc\3Dfm,cn=mapping tree,cn=config"
Apr 21 11:35:48 newbox6.ad.dice.fm systemd[1]: Starting 389 Directory Server AD-DICE-FM.... Apr 21 11:35:11 newbox6.ad.dice.fm systemd[1]: dirsrv@AD-DICE-FM.service: Failed with result 'signal'. Apr 21 11:35:11 newbox6.ad.dice.fm systemd[1]: dirsrv@AD-DICE-FM.service: Main process exited, code=killed, status=6/ABRT Apr 21 11:35:11 newbox6.ad.dice.fm ns-slapd[2934110]: ns-slapd: ldap/servers/plugins/sync/sync_persist.c:234: sync_update_persist_op: Assertion `prim_op' failed.
For #2 , this issue of not being able to remove the replication agreement, stops the removal of the corrupt RUVs.
As you can see i have tried to kick off some RUV removals but they are failing as not all replicas are online. (but they dont exist as #1)
$ ipa-replica-manage list-clean-ruv -p $pass ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] Permission denied: '/var/log/ipa/cli.log' CLEANALLRUV tasks RID 12: Not all replicas online, retrying in 40 seconds... RID restarted-2658134: Not all replicas online, retrying in 320 seconds... RID restarted-2658136: Not all replicas online, retrying in 320 seconds...
No abort CLEANALLRUV tasks running
So, more questions really, Why is the ldapdelete crashing the service?
Can you install the debuginfo packages and get a stack trace? I'm sure the 389-ds developers would like to take a look at it. It may already have been addressed. You haven't provided any version or distro information.
How do i fix it?
If you shut down dirsrv then you can edit /etc/dirsrv/slapd-REALM/dse.ldif and manually remove the replication agreement.
But you have to shut down dirsrv first.
rob