ok, did a little googling, and seems like KRA refers to the "vault" feature? I didn't originally install this myself, so wasn't sure if it is used for anything critical. I ran: # ipa vault-find ---------------- 0 vaults matched ---------------- ---------------------------- Number of entries returned 0 ---------------------------- So, can I assume it is safe to blow away and rebuild the server that has this role? On Wed, Jan 31, 2018 at 3:56 PM, Rob Brown <dtownrobbrown(a)gmail.com&gt; wrote: > I have 4 IPA servers, all masters, that were previously configured in a > "full mesh" replication. > 2 in "prod", 2 in "preprod". > While trying to fix a replication issue, I accidentally did a: > ipa-replica-manage del > on one of the prod servers for BOTH preprod servers. > > Now, the prod servers don't "see" either of the preprod servers, so I > effectively created a "split-brain" between the 2 environments. Preprod > still "knows about" the prod ipa servers, but I can't figure out how to > re-establish the replication agreements. > > I was about to just blow away the preprod servers and rebuild them (which > i did before on one of them) but noticed one of them has the "KRA" role, > and it is the only one in the domain that has it. > I don't know what that does, or what the effects would be if it went > away. I'm guessing bad. > > I have tried "ipa topologysegment-reinitialize domain" on the segments > that preprod still has, but those segments did not show up in prod. > ipa topologysuffix-verify domain says "in order" everywhere. > > At this point I am completely lost on how to proceed. > > What details can I provide for any help anyone is willing to provide? > > > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org

Agreed! I would love to know if that is possible... seems like it should be. As mentioned previously, preprod still has the agreements, but prod does not. Not really sure how I should proceed. I'm a bit stuck, not wanting to further break anything. For now, auth is still working in both envs. --- [root@ipa-preprod-1201]# ipa topologysegment-find domain ------------------ 5 segments matched ------------------ Segment name: ipa-preprod-1201-to-ipa-preprod-1202 Left node: ipa-preprod-1201 Right node: ipa-preprod-1202 Connectivity: both Segment name: ipa-preprod-1201-to-ipa-prod-1201 Left node: ipa-preprod-1201 Right node: ipa-prod-1201 Connectivity: both Segment name: ipa-preprod-1202-to-ipa-prod-1201 Left node: ipa-preprod-1202 Right node: ipa-prod-1201 Connectivity: both Segment name: ipa-prod-1201-to-ipa-prod-1202 Left node: ipa-prod-1201 Right node: ipa-prod-1202 Connectivity: both Segment name: ipa-prod-1202-to-ipa-preprod-1201 Left node: ipa-prod-1202 Right node: ipa-preprod-1201 Connectivity: both [root@ipa-prod-1201]# ipa topologysegment-find domain ------------------ 2 segments matched ------------------ Segment name: ipa-preprod-1201-to-ipa-preprod-1202 Left node: ipa-preprod-1201 Right node: ipa-preprod-1202 Connectivity: both Segment name: ipa-prod-1201-to-ipa-prod-1202 Left node: ipa-prod-1201 Right node: ipa-prod-1202 Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- I think part of the problem is that when I did the ipa-replica-manage del, it removed the preprod servers: [root@ipa-prod-1201]# ipa server-find --------------------- 2 IPA servers matched --------------------- Server name: ipa-prod-1201 Min domain level: 0 Max domain level: 1 Server name: ipa-prod-1202 Min domain level: 0 Max domain level: 1 ---------------------------- Number of entries returned 2 ---------------------------- but they still exist on the preprod side: [root@ipa-preprod-1201]# ipa server-find --------------------- 4 IPA servers matched --------------------- Server name: ipa-preprod-1201 Min domain level: 0 Max domain level: 1 Server name: ipa-preprod-1202 Min domain level: 0 Max domain level: 1 Server name: ipa-prod-1201 Min domain level: 0 Max domain level: 1 Server name: ipa-prod-1202 Min domain level: 0 Max domain level: 1 ---------------------------- Number of entries returned 4 ---------------------------- On Wed, Jan 31, 2018 at 10:52 PM, Andrew Radygin <randrewg(a)gmail.com&gt; wrote: > Though you can completely rebuild preprod servers, still it would be > interesting how to reconnect prod servers with replicas again. > > 2018-02-01 8:41 GMT+03:00 Rob Brown via FreeIPA-users < > freeipa-users(a)lists.fedorahosted.org&gt;: > >> ok, did a little googling, and seems like KRA refers to the "vault" >> feature? >> I didn't originally install this myself, so wasn't sure if it is used >> for anything critical. >> I ran: >> # ipa vault-find >> ---------------- >> 0 vaults matched >> ---------------- >> ---------------------------- >> Number of entries returned 0 >> ---------------------------- >> >> So, can I assume it is safe to blow away and rebuild the server that has >> this role? >> >> On Wed, Jan 31, 2018 at 3:56 PM, Rob Brown <dtownrobbrown(a)gmail.com&gt; >> wrote: >> >>> I have 4 IPA servers, all masters, that were previously configured in a >>> "full mesh" replication. >>> 2 in "prod", 2 in "preprod". >>> While trying to fix a replication issue, I accidentally did a: >>> ipa-replica-manage del >>> on one of the prod servers for BOTH preprod servers. >>> >>> Now, the prod servers don't "see" either of the preprod servers, so I >>> effectively created a "split-brain" between the 2 environments. Preprod >>> still "knows about" the prod ipa servers, but I can't figure out how to >>> re-establish the replication agreements. >>> >>> I was about to just blow away the preprod servers and rebuild them >>> (which i did before on one of them) but noticed one of them has the "KRA" >>> role, and it is the only one in the domain that has it. >>> I don't know what that does, or what the effects would be if it went >>> away. I'm guessing bad. >>> >>> I have tried "ipa topologysegment-reinitialize domain" on the segments >>> that preprod still has, but those segments did not show up in prod. >>> ipa topologysuffix-verify domain says "in order" everywhere. >>> >>> At this point I am completely lost on how to proceed. >>> >>> What details can I provide for any help anyone is willing to provide? >>> >>> >>> >>> >>> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo >> rahosted.org >> >> > > > -- > Best regards, Andrew. >