Well... I made a what think is a major oopsie. I was working my way
through the guide from the link below. I was having good success
exporting the directory database and migrating the data to a failing
server. When attempting to load the data I overlooked the file
ownership and the import failed. I corrected the mistake and
successfully imported the data.
Now the problem is that the system is missing the dirsrv@<instance>. Now
i can't start the service.
# systemctl status dirsrv
dirsrv-admin.service dirsrv-snmp.service dirsrv.target
What can be done to bring back the service?
*Michael Rainey*
Network Representative
Naval Research Laboratory, Code 7320
Building 1009, Room C156
Stennis Space Center, MS 39529
On 05/10/2018 03:06 PM, Mark Reynolds via FreeIPA-users wrote:
On 05/10/2018 03:30 PM, Rob Crittenden wrote:
> Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote:
>> Sigh... My replication agreements really do seem to be completely
>> jacked up. I would have expected the hostname replica agreements and
>> the hostname csreplica agreements to match.
> This is fairly typical. You don't really need a full CA on every
> master you just want > 1 CAs in your installation.
>
> Maybe Mark can provide some insight into the replication issues.
replication is not working because the master can not bind to the
consumer to initialize it. Another option is to do an offline
initialization so that the consumer gets the usercertificate it needs
for incremental replication to work.
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10...
> I think that once we work that out the the other CA master will get
> its updated certificate via standard means and things will hopefully
> just work at that point.
>
> rob
>
>>> # ipa-replica-manage list fitch.<domain> -v
>>> Directory Manager password:
>>>
>>> kodiak.<domain>: replica
>>> last init status: None
>>> last init ended: 1970-01-01 00:00:00+00:00
>>> last update status: Error (18) Replication error acquiring
>>> replica: Incremental update transient error. Backing off, will
>>> retry update later. (transient error)
>>> last update ended: 1970-01-01 00:00:00+00:00
>>> piston.<domain>: replica
>>> last init status: None
>>> last init ended: 1970-01-01 00:00:00+00:00
>>> last update status: Error (0) Replica acquired successfully:
>>> Incremental update succeeded
>>> last update ended: 2018-05-10 19:11:56+00:00
>>> tierod.<domain>: replica
>>> last init status: None
>>> last init ended: 1970-01-01 00:00:00+00:00
>>> last update status: Error (18) Replication error acquiring
>>> replica: Incremental update transient error. Backing off, will
>>> retry update later. (transient error)
>>> last update ended: 1970-01-01 00:00:00+00:00
>>> # ipa-csreplica-manage list fitch.<domain> -v
>>> Directory Manager password:
>>>
>>> voge.<domain>
>>> last init status: None
>>> last init ended: 1970-01-01 00:00:00+00:00
>>> last update status: Error (0) No replication sessions started
>>> since server startup
>>> last update ended: 1970-01-01 00:00:00+00:00
>>
>> *Michael Rainey*
>> Network Representative
>> Naval Research Laboratory, Code 7320
>> Building 1009, Room C156
>> Stennis Space Center, MS 39529
>>
>> On 05/10/2018 01:02 PM, Michael Rainey (Contractor, Code 7320) via
>> FreeIPA-users wrote:
>>>> Sigh. This is what I get when I type too fast.
>>> No worries. You're helping me to make some headway on this problem.
>>>
>>> This is more of what you are wanting to see, and for me it doesn't
>>> look good. Does this mean I'll be using the re-initialize option or
>>> some variation?
>>>
>>>> ipa-csreplica-manage list fitch.<domain> -v
>>>> Directory Manager password:
>>>>
>>>> voge.<domain>
>>>> last init status: None
>>>> last init ended: 1970-01-01 00:00:00+00:00
>>>> last update status: Error (0) No replication sessions started
>>>> since server startup
>>>> last update ended: 1970-01-01 00:00:00+00:00
>>>
>>> *Michael Rainey*
>>> Network Representative
>>> Naval Research Laboratory, Code 7320
>>> Building 1009, Room C156
>>> Stennis Space Center, MS 39529
>>>
>>> On 05/10/2018 12:09 PM, Rob Crittenden wrote:
>>>> Michael Rainey (Contractor, Code 7320) via FreeIPA-users wrote:
>>>>>> Use ipa-cacert-manage -v `hostname` to see what the status is.
>>>>> Is this correct usage for this command? It throws out debug
>>>>> messages.
>>>> Sigh. This is what I get when I type too fast.
>>>>
>>>> ipa-csreplica-manage ...
>>>>
>>>> rob
>>>>
>>>>>> ipa-cacert-manage -v 'fitch'
>>>>>> ipa: DEBUG: Loading Index file from
>>>>>> '/var/lib/ipa/sysrestore/sysrestore.index'
>>>>>> Usage: ipa-cacert-manage renew [options]
>>>>>> ipa-cacert-manage install [options] CERTFILE
>>>>>>
>>>>>> ipa-cacert-manage: error: unknown command "fitch"
>>>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG:
File
>>>>>>
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
>>>>>> 169, in execute
>>>>>> self.validate_options()
>>>>>> File
>>>>>>
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cacert_manage.py",
>>>>>> line 105, in validate_options
>>>>>> parser.error("unknown command \"%s\"" %
command)
>>>>>> File "/usr/lib64/python2.7/optparse.py", line 1583,
in error
>>>>>> self.exit(2, "%s: error: %s\n" %
(self.get_prog_name(), msg))
>>>>>> File "/usr/lib64/python2.7/optparse.py", line 1573,
in exit
>>>>>> sys.exit(status)
>>>>>>
>>>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: DEBUG: The
>>>>>> ipa-cacert-manage command failed, exception: SystemExit: 2
>>>>>> ipa.ipaserver.install.ipa_cacert_manage.CACertManage: ERROR: The
>>>>>> ipa-cacert-manage command failed.
>>>>>
>>>>>
>>>>>
>>>>> *Michael Rainey*
>>>>> Network Representative
>>>>> Naval Research Laboratory, Code 7320
>>>>> Building 1009, Room C156
>>>>> Stennis Space Center, MS 39529
>>>>>
>>>>> On 05/10/2018 10:59 AM, Rob Crittenden via FreeIPA-users wrote:
>>>>>> Use ipa-cacert-manage -v `hostname` to see what the status is.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>>> To unsubscribe send an email to
>>>>> freeipa-users-leave(a)lists.fedorahosted.org
>>>>>
>>>
>>>
>>> _______________________________________________
>>> FreeIPA-users mailing list --freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email
>>> tofreeipa-users-leave(a)lists.fedorahosted.org
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org