ok, did a little googling, and seems like KRA refers to the "vault" feature?I didn't originally install this myself, so wasn't sure if it is used for anything critical.I ran:# ipa vault-find----------------0 vaults matched--------------------------------------------Number of entries returned 0----------------------------So, can I assume it is safe to blow away and rebuild the server that has this role?On Wed, Jan 31, 2018 at 3:56 PM, Rob Brown <dtownrobbrown@gmail.com> wrote:I have 4 IPA servers, all masters, that were previously configured in a "full mesh" replication.2 in "prod", 2 in "preprod".While trying to fix a replication issue, I accidentally did a:ipa-replica-manage delon one of the prod servers for BOTH preprod servers.Now, the prod servers don't "see" either of the preprod servers, so I effectively created a "split-brain" between the 2 environments. Preprod still "knows about" the prod ipa servers, but I can't figure out how to re-establish the replication agreements.I was about to just blow away the preprod servers and rebuild them (which i did before on one of them) but noticed one of them has the "KRA" role, and it is the only one in the domain that has it.I don't know what that does, or what the effects would be if it went away. I'm guessing bad.I have tried "ipa topologysegment-reinitialize domain" on the segments that preprod still has, but those segments did not show up in prod.ipa topologysuffix-verify domain says "in order" everywhere.At this point I am completely lost on how to proceed.What details can I provide for any help anyone is willing to provide?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org