Hi guys.
Two masters from which third got disconnected in a "dirty" manner.
-> $ ipa-replica-manage del midway.ccn.priv.dom Server removal aborted:
Replication topology in suffix 'domain' is disconnected: Topology does not allow server love.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom Topology does not allow server midway.ccn.priv.dom to replicate with servers: love.ccn.priv.dom punch.ccn.priv.dom Topology does not allow server punch.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom.
-> $ ipa topologysegment-find domain ----------------- 1 segment matched ----------------- Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom Left node: punch.ccn.priv.dom Right node: love.ccn.priv.dom Connectivity: both ---------------------------- Number of entries returned 1
-> $ ipa-replica-manage del midway.ccn.priv.dom --force ipa: WARNING: /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). Updating DNS system records Not allowed on non-leaf entry
I've tried to 'reinitialize' but without success. Anybody care to share suggestions & thoughts? many thanks, L.
Hi,
is the topology at domain level 1 or domain level 0? # kinit admin # ipa domainlevel-get
If the level is 1, the right command in order to remove a replica + ignore topology disconnect issues is # kinit admin # ipa server-del <hostname> --ignore-topology-disconnect
The error "not allowed on non-leaf entry" means that the command tried to delete an LDAP entry which has child entries. You can have a look at the directory server logs in /var/log/dirsrv/slapd-IPA-TEST/access and look for a DEL operation which returned an error (something with RESULT err=<value different from 0>).
HTH, flo
On Mon, Jul 5, 2021 at 10:45 PM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi guys.
Two masters from which third got disconnected in a "dirty" manner.
-> $ ipa-replica-manage del midway.ccn.priv.dom Server removal aborted:
Replication topology in suffix 'domain' is disconnected: Topology does not allow server love.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom Topology does not allow server midway.ccn.priv.dom to replicate with servers: love.ccn.priv.dom punch.ccn.priv.dom Topology does not allow server punch.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom.
-> $ ipa topologysegment-find domain
1 segment matched
Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom Left node: punch.ccn.priv.dom Right node: love.ccn.priv.dom Connectivity: both
Number of entries returned 1
-> $ ipa-replica-manage del midway.ccn.priv.dom --force ipa: WARNING: /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes). Updating DNS system records Not allowed on non-leaf entry
I've tried to 'reinitialize' but without success. Anybody care to share suggestions & thoughts? many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 06/07/2021 07:27, Florence Renaud wrote:
Hi,
is the topology at domain level 1 or domain level 0? # kinit admin # ipa domainlevel-get
If the level is 1, the right command in order to remove a replica + ignore topology disconnect issues is # kinit admin # ipa server-del <hostname> --ignore-topology-disconnect
The error "not allowed on non-leaf entry" means that the command tried to delete an LDAP entry which has child entries. You can have a look at the directory server logs in /var/log/dirsrv/slapd-IPA-TEST/access and look for a DEL operation which returned an error (something with RESULT err=<value different from 0>).
HTH, flo
I cannot see any meaningful "DEL" in 'access' at/around the time of 'server-del' execution, though in 'errors' ... [06/Jul/2021:17:00:47.672237100 +0100] - ERR - ldbm_back_delete - conn=5935 op=244 Deleting entry cn=midway.ccnr.ceb.private.cam.ac.uk,cn=masters,cn=ipa,cn=etc,dc=ccn,dc=priv,dc=dom has replication conflicts as children.
many thanks, L
On Mon, Jul 5, 2021 at 10:45 PM lejeczek via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi guys. Two masters from which third got disconnected in a "dirty" manner. -> $ ipa-replica-manage del midway.ccn.priv.dom Server removal aborted: Replication topology in suffix 'domain' is disconnected: Topology does not allow server love.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom Topology does not allow server midway.ccn.priv.dom to replicate with servers: love.ccn.priv.dom punch.ccn.priv.dom Topology does not allow server punch.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom. -> $ ipa topologysegment-find domain ----------------- 1 segment matched ----------------- Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom Left node: punch.ccn.priv.dom Right node: love.ccn.priv.dom Connectivity: both ---------------------------- Number of entries returned 1 -> $ ipa-replica-manage del midway.ccn.priv.dom --force ipa: WARNING: /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes>). Updating DNS system records Not allowed on non-leaf entry I've tried to 'reinitialize' but without success. Anybody care to share suggestions & thoughts? many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure>
Hi so there are replication conflicts in the LDAP database.
To find the conflicting entries, run the following commands on each server: export BASEDN=<basedn value from /etc/ipa/default.conf> ldapsearch -D "cn=Directory Manager" -W -b $BASEDN "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" * nsds5ReplConflict
And then follow the guide *B.2. Identity Management Replicas* [1] in order to solve the conflicts.
HTH, flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
On Tue, Jul 6, 2021 at 6:09 PM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 06/07/2021 07:27, Florence Renaud wrote:
Hi,
is the topology at domain level 1 or domain level 0? # kinit admin # ipa domainlevel-get
If the level is 1, the right command in order to remove a replica + ignore topology disconnect issues is # kinit admin # ipa server-del <hostname> --ignore-topology-disconnect
The error "not allowed on non-leaf entry" means that the command tried to delete an LDAP entry which has child entries. You can have a look at the directory server logs in /var/log/dirsrv/slapd-IPA-TEST/access and look for a DEL operation which returned an error (something with RESULT err=<value different from 0>).
HTH, flo
I cannot see any meaningful "DEL" in 'access' at/around the time of 'server-del' execution, though in 'errors' ... [06/Jul/2021:17:00:47.672237100 +0100] - ERR - ldbm_back_delete - conn=5935 op=244 Deleting entry cn=midway.ccnr.ceb.private.cam.ac.uk,cn=masters,cn=ipa,cn=etc,dc=ccn,dc=priv,dc=dom
has replication conflicts as children.
many thanks, L
On Mon, Jul 5, 2021 at 10:45 PM lejeczek via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
Hi guys. Two masters from which third got disconnected in a "dirty" manner. -> $ ipa-replica-manage del midway.ccn.priv.dom Server removal aborted: Replication topology in suffix 'domain' is disconnected: Topology does not allow server love.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom Topology does not allow server midway.ccn.priv.dom to replicate with servers: love.ccn.priv.dom punch.ccn.priv.dom Topology does not allow server punch.ccn.priv.dom to replicate with servers: midway.ccn.priv.dom. -> $ ipa topologysegment-find domain ----------------- 1 segment matched ----------------- Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom Left node: punch.ccn.priv.dom Right node: love.ccn.priv.dom Connectivity: both ---------------------------- Number of entries returned 1 -> $ ipa-replica-manage del midway.ccn.priv.dom --force ipa: WARNING: /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: The subsystem in PKIConnection.__init__() has been deprecated (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes>). Updating DNS system records Not allowed on non-leaf entry I've tried to 'reinitialize' but without success. Anybody care to share suggestions & thoughts? many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 06/07/2021 17:23, Florence Renaud wrote:
Hi so there are replication conflicts in the LDAP database.
To find the conflicting entries, run the following commands on each server: export BASEDN=<basedn value from /etc/ipa/default.conf> ldapsearch -D "cn=Directory Manager" -W -b $BASEDN "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" * nsds5ReplConflict
And then follow the guide /B.2. Identity Management Replicas/ [1] in order to solve the conflicts.
HTH, flo
I've found backups and thought I was lucky, yet - though restoration seems to work and I'm able to remove missing master/replica with no "Not allowed on non-leaf entry" error.. ...replication between two existing masters seems to be "broken", data does not replicate. If I try 'force-sync' I see, on the requesting master: ... [09/Jul/2021:10:05:01.553662244 +0100] - ERR - NSMMReplicationPlugin - prot_notify_agmt_changed - Replication agreement for agmt="cn=punch.ccnr.ceb.private.cam.ac.uk-to-love.ccn.priv.dom" (love:389) could not be updated. For replication to take place, please enable the suffix and restart the server ...
sroogling that did not get me much info. What the issue here? many thanks, L.
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#trouble-replica
On Tue, Jul 6, 2021 at 6:09 PM lejeczek via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
On 06/07/2021 07:27, Florence Renaud wrote: > Hi, > > is the topology at domain level 1 or domain level 0? > # kinit admin > # ipa domainlevel-get > > If the level is 1, the right command in order to remove a > replica + ignore topology disconnect issues is > # kinit admin > # ipa server-del <hostname> --ignore-topology-disconnect > > The error "not allowed on non-leaf entry" means that the > command tried to delete an LDAP entry which has child > entries. You can have a look at the directory server logs > in /var/log/dirsrv/slapd-IPA-TEST/access and look for a > DEL operation which returned an error (something with > RESULT err=<value different from 0>). > > HTH, > flo > > I cannot see any meaningful "DEL" in 'access' at/around the time of 'server-del' execution, though in 'errors' ... [06/Jul/2021:17:00:47.672237100 +0100] - ERR - ldbm_back_delete - conn=5935 op=244 Deleting entry cn=midway.ccnr.ceb.private.cam.ac.uk <http://midway.ccnr.ceb.private.cam.ac.uk>,cn=masters,cn=ipa,cn=etc,dc=ccn,dc=priv,dc=dom has replication conflicts as children. many thanks, L > On Mon, Jul 5, 2021 at 10:45 PM lejeczek via FreeIPA-users > <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>>> wrote: > > Hi guys. > > Two masters from which third got disconnected in a > "dirty" > manner. > > -> $ ipa-replica-manage del midway.ccn.priv.dom > Server removal aborted: > > Replication topology in suffix 'domain' is disconnected: > Topology does not allow server love.ccn.priv.dom to > replicate with servers: > midway.ccn.priv.dom > Topology does not allow server midway.ccn.priv.dom to > replicate with servers: > love.ccn.priv.dom > punch.ccn.priv.dom > Topology does not allow server punch.ccn.priv.dom to > replicate with servers: > midway.ccn.priv.dom. > > -> $ ipa topologysegment-find domain > ----------------- > 1 segment matched > ----------------- > Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom > Left node: punch.ccn.priv.dom > Right node: love.ccn.priv.dom > Connectivity: both > ---------------------------- > Number of entries returned 1 > > -> $ ipa-replica-manage del midway.ccn.priv.dom --force > ipa: WARNING: > /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: > > The subsystem in PKIConnection.__init__() has been > deprecated > (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes> > <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes>>). > Updating DNS system records > Not allowed on non-leaf entry > > I've tried to 'reinitialize' but without success. > Anybody care to share suggestions & thoughts? > many thanks, L. > _______________________________________________ > FreeIPA-users mailing list -- > freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> > <https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/>> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> > <https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines>> > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org> > <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org>> > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure> > <https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure>> > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ <https://docs.fedoraproject.org/en-US/project/code-of-conduct/> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org <https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure <https://pagure.io/fedora-infrastructure>
lejeczek via FreeIPA-users wrote:
On 06/07/2021 17:23, Florence Renaud wrote:
Hi so there are replication conflicts in the LDAP database.
To find the conflicting entries, run the following commands on each server: export BASEDN=<basedn value from /etc/ipa/default.conf> ldapsearch -D "cn=Directory Manager" -W -b $BASEDN "(&(objectClass=ldapSubEntry)(nsds5ReplConflict=*))" * nsds5ReplConflict
And then follow the guide /B.2. Identity Management Replicas/ [1] in order to solve the conflicts.
HTH, flo
I've found backups and thought I was lucky, yet - though restoration seems to work and I'm able to remove missing master/replica with no "Not allowed on non-leaf entry" error.. ...replication between two existing masters seems to be "broken", data does not replicate. If I try 'force-sync' I see, on the requesting master: ... [09/Jul/2021:10:05:01.553662244 +0100] - ERR - NSMMReplicationPlugin - prot_notify_agmt_changed - Replication agreement for agmt="cn=punch.ccnr.ceb.private.cam.ac.uk-to-love.ccn.priv.dom" (love:389) could not be updated. For replication to take place, please enable the suffix and restart the server ...
sroogling that did not get me much info. What the issue here?
What does "I found backups" mean? Are you talking about ipa-backup and ipa-restore? If you run ipa-restore then you need to re-init all other servers from that one.
rob
many thanks, L.
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#trouble-replica
On Tue, Jul 6, 2021 at 6:09 PM lejeczek via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org> wrote:
On 06/07/2021 07:27, Florence Renaud wrote: > Hi, > > is the topology at domain level 1 or domain level 0? > # kinit admin > # ipa domainlevel-get > > If the level is 1, the right command in order to remove a > replica + ignore topology disconnect issues is > # kinit admin > # ipa server-del <hostname> --ignore-topology-disconnect > > The error "not allowed on non-leaf entry" means that the > command tried to delete an LDAP entry which has child > entries. You can have a look at the directory server logs > in /var/log/dirsrv/slapd-IPA-TEST/access and look for a > DEL operation which returned an error (something with > RESULT err=<value different from 0>). > > HTH, > flo > > I cannot see any meaningful "DEL" in 'access' at/around the time of 'server-del' execution, though in 'errors' ... [06/Jul/2021:17:00:47.672237100 +0100] - ERR - ldbm_back_delete - conn=5935 op=244 Deleting entry cn=midway.ccnr.ceb.private.cam.ac.uk http://midway.ccnr.ceb.private.cam.ac.uk,cn=masters,cn=ipa,cn=etc,dc=ccn,dc=priv,dc=dom
has replication conflicts as children.
many thanks, L
> On Mon, Jul 5, 2021 at 10:45 PM lejeczek via FreeIPA-users > <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > Hi guys. > > Two masters from which third got disconnected in a > "dirty" > manner. > > -> $ ipa-replica-manage del midway.ccn.priv.dom > Server removal aborted: > > Replication topology in suffix 'domain' is disconnected: > Topology does not allow server love.ccn.priv.dom to > replicate with servers: > midway.ccn.priv.dom > Topology does not allow server midway.ccn.priv.dom to > replicate with servers: > love.ccn.priv.dom > punch.ccn.priv.dom > Topology does not allow server punch.ccn.priv.dom to > replicate with servers: > midway.ccn.priv.dom. > > -> $ ipa topologysegment-find domain > ----------------- > 1 segment matched > ----------------- > Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom > Left node: punch.ccn.priv.dom > Right node: love.ccn.priv.dom > Connectivity: both > ---------------------------- > Number of entries returned 1 > > -> $ ipa-replica-manage del midway.ccn.priv.dom --force > ipa: WARNING: > /usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973: > > The subsystem in PKIConnection.__init__() has been > deprecated > (https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes > <https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes>). > Updating DNS system records > Not allowed on non-leaf entry > > I've tried to 'reinitialize' but without success. > Anybody care to share suggestions & thoughts? > many thanks, L.
hey everyone,
i had a similar issue and it took me a lot of time to figure it out.
I could not a remove a single replica because the topology plugin i could not remove a non-leave server. But it was a simple leave server. After trying a lot of stuff, i found out, that some replication conflicts were the reason.
So removing those let me remove the faulty replica.
Removing replication conflicts is explained here: https://access.redhat.com/documentation/de-de/red_hat_directory_server/11/ht...
Hope it helps
freeipa-users@lists.fedorahosted.org