Dear FreeIPA Community,

 

We’re having a problem joining a host to an IPA realm.

 

We created a host account in the realm and added that host to the IPA replicas group.

 

We installed the ipa-client and ipa-server RPMS on the incoming replica (host2). Using ipa-client-install then used ipa-replica-install to upgrade it to a replica, the data replication phase inside the replica-install process failed because the time on the replica was many hours in advance of the existing master/replica in the realm.

 

In other failed installs where this occurs (typically VM development environments where snapshotting is frequent), we’ve had success forcing removal of the failed replica using ipa host-del <hostname> --force, or of necessary a ‘ipa-replica-manage clean-dangling-ruv’ or ‘ipa-replica-manage clean-ruv <n>’ to help remove left-over data. Should that fail, manually removing the LDAP entry corresponding to the incoming host is necessary, the stale entry is;

cn=meTohost2.system,cn=replica,cn=dc\3Dsystem,cn=mapping tree,cn=config

 

When we attempt to delete that entry in the LDAP tree, 389-ds rejects the operation and logs the message; “RESULT err=53 tag=107 nentries=0 etime=0.0002043881 - Entry is managed by topology plugin.Deletion not allowed”.

 

How can we remove data from the replica to attempt to re-join the failed host?

 

Both the incoming replica and existing realm master/replica are running CentOS 7.6;

ipa-client-4.6.4-10.el7.centos.3.x86_64

ipa-client-common-4.6.4-10.el7.centos.3.noarch

ipa-common-4.6.4-10.el7.centos.3.noarch

ipa-server-4.6.4-10.el7.centos.3.x86_64

ipa-server-common-4.6.4-10.el7.centos.3.noarch

 

Thanks in advance,

Rob