On 07/11/2017 03:24 PM, Jan Karásek via FreeIPA-users wrote:
Hi,
thank you. We have 34 entries in directory with nsuniqueid in DN:
dn: cn=Kerberos Service Password
Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn:
cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn:
cn=locations+nsuniqueid=7a711f07-d11911e6-bea49da2-866883c1,cn=etc,dc=vs,dc=example,dc=cz
dn:
cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
dn:
cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz
dn: cn=Default Service Password
Policy+nsuniqueid=f683e20d-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz
dn:
cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz
dn: cn=cas+nsuniqueid=7a711f0d-d11911e6-bea49da2-866883c1,cn=ca,dc=vs,dc=example,dc=cz
dn:
cn=dogtag+nsuniqueid=7a711f3e-d11911e6-bea49da2-866883c1,cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
dn: cn=Default Host Password
Policy+nsuniqueid=f683e20b-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz
dn:
cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz
dn:
idnsserverid=tidmipa01.vs.example.cz,cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz
dn: cn=System: Add
CA+nsuniqueid=7a711f46-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Delete
CA+nsuniqueid=7a711f4a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Modify
CA+nsuniqueid=7a711f4e-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read
CAs+nsuniqueid=7a711f52-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Modify DNS Servers
Configuration+nsuniqueid=7a711f57-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read DNS Servers
Configuration+nsuniqueid=7a711f5b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Manage Host
Principals+nsuniqueid=7a711f6a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Add IPA
Locations+nsuniqueid=7a711f7b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Modify IPA
Locations+nsuniqueid=7a711f7f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read IPA
Locations+nsuniqueid=7a711f83-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Remove IPA
Locations+nsuniqueid=7a711f87-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read Locations of IPA
Servers+nsuniqueid=7a711f8b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Read Status of Services on IPA
Servers+nsuniqueid=7a711f8f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Manage Service
Principals+nsuniqueid=7a711f93-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=System: Manage User
Principals+nsuniqueid=7a711fa1-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz
dn: cn=Default Kerberos Service Password
Policy+nsuniqueid=f683e211-e16a11e6-bea49da2-866883c1,cn=Kerberos Service Password
Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn: cn=Default Password
Policy+nsuniqueid=f683e215-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz
dn: cn=Default Password
Policy+nsuniqueid=f683e21b-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz
dn: cn=Default Password
Policy+nsuniqueid=f683e221-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz
dn:
cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz
dn:
cn=domain+nsuniqueid=7a711f03-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
dn:
cn=ca+nsuniqueid=7a711f41-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
The guide describes how to solve dn name conflict, but I think we should have delete
them. They looks like they are doubled entries just with "+nsuniqueid=.... ".
For each of them I have entry without "nsuniqueid" in dn:
dn:
cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz
dn: cn=ipaservers,cn=ng,cn=alt,dc=vs,dc=example,dc=cz
Is that correct ?
the guide covers scenarios where you want to keep both entries or
the
conflict entry. If you just have a "valid" entry and a "conflict"
entry
as duplicate you can delete the conflict directly.
Thanks,
Jan
----- Original Message -----
From: "Martin Basti" <mbasti(a)redhat.com>
To: "freeipa-users" <freeipa-users(a)lists.fedorahosted.org>
Cc: "Jan Karásek" <jan.karasek(a)elostech.cz>
Sent: Monday, July 10, 2017 7:09:34 PM
Subject: Re: [Freeipa-users] ipa-domainlevel set 1 failed
On 10.07.2017 18:26, Jan Karásek via FreeIPA-users wrote:
> Hello,
>
> I'm having trouble to set the IPA domain level to 1.
>
> When I run the command:
>
> ipa domainlevel-set 1
> ipa: ERROR: Domain Level cannot be raised to 1, existing replication conflicts have
to be resolved.
>
> At the moment we have just two IPA server.
>
> I have tried to uninstall all replicas, keeping only first ipa master, but the same
error occurred.
>
> While running only one IPA server without any replica, I used ipa-replica-manage
list-ruv and clean-ruv to delete all RUVs, but was still unable to raise the domain
level.
>
> OS: RHEL 7.3, updated to last IPA version ipa-server-4.4.0-14.
>
> First version of IPA server installed was on RHEL 7.2, then updated to RHEL 7.3.
>
> This is described in RHBA-2017:0089-1
>
> Previously, if an Identity Management (IdM) upgrade ran simultaneously on
> multiple servers, replication conflict entries were sometimes generated in the
> "cn=topology" subtree.
>
>
> So if I understand it right, there is a new check implemented which prevents raising
domain level when this happens.
>
> So my question is what can I do to get rid of "conflict entries" and raise
domain level ?
>
> Thanks,
>
> Jan Karásek
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Hello,
please use this guide to resolve replication conflicts
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10...
--
Red Hat GmbH,
http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric
Shander