I was able to get it working by doing the following.
I tore down the primary server and stood it up again with ipa-server installed and then I
restored it from a backup taken today. On the replica server I created another user
account because if my understanding of how the re-initialize command works is correct,
that user account shouldn’t be on the replica anymore once it re-initializes with the
master since it was created after the backup was taken.
After I got the primary restored, I ran the re-initialize command on the replica and it
worked!
Because I was curious, I performed the same steps I mentioned above, but this time I used
an older backup and I started running into the LDAP issues again.
My question is, do the backups get a little wonky the older they are?
Tyler
From: Hirata, Tyler via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Date: Wednesday, December 21, 2022 at 8:18 AM
To: Rob Crittenden <rcritten(a)redhat.com>, FreeIPA users list
<freeipa-users(a)lists.fedorahosted.org>
Cc: Hirata, Tyler <thirata(a)caltech.edu>
Subject: [Freeipa-users] Re: LDAP error after re-initializing replica server
Hi Rob,
I took two backups from this month. The 1st one I tried was from December 5th, and the
more recent one was from the 16th. The replica did exist at the time I took the backup.
Are there implications deleting the replica VMs and starting from scratch? The only way I
was able to get the restore to work was, I just restored the primary server and then I
deleted the VM the replica was on and I rebuilt it and setup replication from scratch.
Tyler
From: Rob Crittenden <rcritten(a)redhat.com>
Date: Wednesday, December 21, 2022 at 5:49 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Hirata, Tyler <thirata(a)caltech.edu>
Subject: Re: [Freeipa-users] LDAP error after re-initializing replica server
Hirata, Tyler via FreeIPA-users wrote:
I’m testing out IPA and wanted to see how restoring backups work. I
successfully restored an older backup to my master node, but when I hop
on my replica nodes and run the re-initialization command, I get an LDAP
error. I was wondering if anyone has experienced this?
ipa-replica-manage re-initialize --from
ipa1.domain.com
Update in progress, 15 seconds elapsed
[ldaps:// ipa1.domain.com:636] reports: Update failed! Status: [Error
(49) - LDAP error: Invalid credentials - no response received]
I’ve cleared all my Kerberos cache by running kdestroy and I restarted
directory services and rebooted the primary and secondary servers.
How old was this restore? Did the replica exist when the backup was taken?
rob