Hate _hate_ to open old threads, but...
I'm also seeing this. I've been trying to add another replica to our
topology (this would be on a different subnet than the current pair); the
ipa-replica-install command has been failing for various reasons that I've
been fixing or circumventing and I've just been re-spinning the new server
between each attempt to keep the environment clean. The latest death was
apparently because of an issue with /etc/openldap/ldap.conf which I was
debugging and was about to remove the server from IPA and reset it.
However, I'm not able to do so. All attempts are met with "ERROR: invalid
'PKINIT enabled server': all masters must have IPA master role enabled" -
in fact, even poking around trying to do an ipa config-show (on either of
the current masters) just generates that error. I've also tried
uninstalling the replica and client on the new host, and it seems to have
completed successfully, but I can't re-enroll it either, so it's "dead to
the other masters", except...
There is nothing I want to do at this point other than another iteration on
my problem adding another replica. There's no data on replica, nothing is
relying on it, and I've tried as hard as possible to make the installation
entirely vanilla. I haven't manually enabled PKINIT; ipa-pkinit-manage
status on the current masters says it's enabled. As for the server roles,
server-role-find shows the two current servers and the new one; the
latter's "role status" for CA Server is "absent". I've had
issues before
where I've had to enumerate the RUVs and remove them (done that). Just
want the references to this to go away, so that I can keep working towards
the most minimal and concise installation.
Any ideas on where I can go to get out of this situation? Many thanks!
(Everything completely updated to *4.6.4-10.el7.centos, initial
installation was about one year ago, domain level 1; tried all the ipa
server del and ipa-replica-manage del suggestions which aren't working for
me this time, no AD integration...)
On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Oh, forgot to mention, current domain level is `1`...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...