Thank you, that worked. I'm now having issues passing the pki-tomcatd
installation but that's another issue.
пт, 21 авг. 2020 г. в 11:17, Florence Blanc-Renaud <flo(a)redhat.com>:
On 8/19/20 9:52 PM, Konstantin M. Khankin via FreeIPA-users wrote:
> TL;DR: Unfortunately this doesn't help. I see this on Replica when
> running 'ipa-server-install
> --uninstall': u'nsds5replicaLastUpdateStatus': ['Error (19)
Replication
> error acquiring replica: Replica has different database generation ID,
> remote replica may need to be initialized (RUV error)']. Does this give
> any hints?
>
> [root@leader ~]# kinit admin
> Password for admin@DOMAIN:
> [root@leader ~]# ipa server-del Replica
> Removing Replica from replication topology, please wait...
> ipa: ERROR: Replica: server not found
> [root@leader ~]# ipa server-del Replica.domain
> Removing Replica.domain from replication topology, please wait...
> ipa: ERROR: Replica.domain: server not found
> [root@leader ~]# ipa host-del Replica
> ipa: ERROR: Replica: host not found
> [root@leader ~]# ipa host-del Replica.domain
> ipa: ERROR: Replica.domain: host not found
>
> [root@leader ~]# ipa-replica-manage list
> Leader.domain: master
>
> [root@replica ~]# ipa-replica-manage list
> Unknown host Replica.domain: Host 'Replica.domain' does not have
> corresponding DNS A/AAAA record
Hi,
can you try the following command on leader:
ipa server-del Replica.domain --force
Then as Rob suggested you can look in the LDAP server if there are any
remaining entries referring to Replica:
ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap >
/tmp/db.ldif
ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap -b
cn=config > /tmp/config.ldif
Look for "Replica.domain" in the ldif files, and if needed use
ldapmodify or you preferred ldap client tool to remove the
entries/attributes.
flo
> [root@replica ~]# ipa-server-install --uninstall
>
> This is a NON REVERSIBLE operation and will delete all data and
> configuration!
> It is highly recommended to take a backup of existing data and
> configuration using ipa-backup utility before proceeding.
>
> Are you sure you want to continue with the uninstall procedure? [no]: yes
>
[LDAPEntry(ipapython.dn.DN('cn=meToLeader.domain,cn=replica,cn=dc\=domain,cn=mapping
> tree,cn=config'), {u'nsds5replicaLastInitStart':
['19700101000000Z'],
> u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn':
> ['meToLeader.domain'], u'objectClass':
['nsds5replicationagreement',
> 'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'],
> u'nsDS5ReplicaRoot': ['dc=domain'], u'nsDS5ReplicaHost':
> ['leader.domain'], u'nsds5replicaLastUpdateStatus': ['Error
(19)
> Replication error acquiring replica: Replica has different database
> generation ID, remote replica may need to be initialized (RUV error)'],
> u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'],
u'nsds5ReplicaStripAttrs':
> ['modifiersName modifyTimestamp internalModifiersName
> internalModifyTimestamp'], u'nsds5replicaLastUpdateStart':
> ['19700101000000Z'], u'nsDS5ReplicaPort': ['389'],
> u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description':
['me to
> leader.domain'], u'nsds5replicareapactive': ['0'],
> u'nsds5replicaChangesSentSinceStartup': [''],
u'nsds5replicaTimeout':
> ['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $
EXCLUDE
> memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth
> krbloginfailedcount'], u'nsds5replicaLastInitEnd':
['19700101000000Z'],
> u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE
> entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]
>
> Replication agreements with the following IPA masters found:
leader.domain.
> Removing any replication agreements before uninstalling the server is
> strongly
> recommended. You can remove replication agreements by running the
following
> command on any other IPA master:
> $ ipa-replica-manage del replica.domain
>
> Are you sure you want to continue with the uninstall procedure? [no]: yes
> Shutting down all IPA services
> Unconfiguring ntpd
> Configuring certmonger to stop tracking system certificates for KRA
> Configuring certmonger to stop tracking system certificates for CA
> Unconfiguring directory server
> ipaserver.install.dsinstance: ERROR Unable to find server cert
> nickname in /etc/dirsrv/slapd-DOMAIN/dse.ldif
> Removing IPA client configuration
> Removing Kerberos service principals from /etc/krb5.keytab
> Disabling client Kerberos and LDAP configurations
> Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
> /etc/sssd/sssd.conf.deleted
> Restoring client configuration files
> Unconfiguring the NIS domain.
> nscd daemon is not installed, skip configuration
> nslcd daemon is not installed, skip configuration
> Systemwide CA database updated.
> Client uninstall complete.
> The ipa-client-install command was successful
>
> And after that ipa-replica-install fails as before.
>
> вт, 18 авг. 2020 г. в 23:56, Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>>:
>
> Konstantin M. Khankin via FreeIPA-users wrote:
> > Hi!
> >
> > Bumping this thread. Anyone has any ideas?
>
> I'd uninstall the replica and ensure that all remnants are gone with:
>
> $ ipa server-del <host>
> $ ipa host-del <host>
>
> And if you're extra paranoid do an LDIF dump of the database sift
> thru that.
>
> rob
>
> >
> > Thanks!
> >
> >
> > вс, 9 авг. 2020 г., 08:23 Konstantin M. Khankin
> > <khankin.konstantin(a)gmail.com
> <mailto:khankin.konstantin@gmail.com>
> <mailto:khankin.konstantin@gmail.com
> <mailto:khankin.konstantin@gmail.com>>>:
> >
> > Hi!
> >
> > I run IPA on CentOS 7. I have two servers (Leader and Replica,
> > though they changed roles couple times because of
> reinstalls), had
> > ca and domain services on both of them, replication set up and
> > working. I had to switch off Replica for 6 months. When I
> turned it
> > on recently, I found expired certificates, couldn't fix them
> easily
> > and lost the old Replica - at least I concluded it was easier
to
> > reinstate the Replica than to detangle the mess I made while
was
> > trying to back out of outdated certs. I hit the same error as
> I do
> > now though - Invalid Credentials (49).
> >
> > So I did the following:
> >
> > 1) on Replica - ipa-server-install --uninstall.
> > 2) on Leader - ipa-replica-manage del --force --clean Replica.
> > 3) removed obsolete replication agreement meToReplica from
> Leader.
> > 4) removed all traces of Replica from DNS.
> >
> > Then I started to install Replica from scratch:
> >
> > 1) ipa-client-install
> > 2) ipa-replica-install --setup-ca --setup-dns --forwarder X
> > --forwarder Y
> >
> > Installation consistently fails with:
> >
> > '''
> > Run connection check to master
> > Connection check OK
> > Configuring directory server (dirsrv). Estimated time: 30
seconds
> > <...>
> > [29/42]: setting up initial replication
> > Starting replication, please wait until this has completed.
> > Update in progress, 16 seconds elapsed
> > [ldap://Leader:389] reports: Update failed! Status: [Error
> (49) -
> > LDAP error: Invalid credentials]
> >
> > [error] RuntimeError: Failed to start replication
> > '''
> >
> > Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors:
> >
> > '''
> > [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp -
> > agmt="cn=meToReplica.domain" (Replica:389) - Replication
bind
> with
> > GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()
> > """
> >
> > I verified clocks on both Replica and Leader - they show the
same
> > time (within 1-2 seconds diff window). In fact, at some point
> I had
> > Replica taking time straight from Leader, before they were
> set up to
> > use the other common source. I dumped traffic between Leader
and
> > Replica - indeed, Leader tried to authenticate on Replica and
> > Replica replies "Invalid credentials".
> >
> > I googled this error and read multiple email threads but
nothing
> > helped so far. Replica works fine as IPA client but can't get
> > promoted to a replica.
> >
> > What am I missing?
> >
> > Thanks!
> >
> > --
> > Khankin Konstantin
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> > To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
> > Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>
>
>
> --
> Ханкин Константин
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>