Hi,
I'm about to decomission one of my IPA replicas running on up to date
fedora 35 (freeipa-server-common-4.9.7-4.fc35.noarch). On my CA renewal
master (
freeipa1.example.org) I try to remove
freeipa4.example.org:
[root@freeipa1 ~]# ipa server-del
freeipa4.example.org
Removing
freeipa4.example.org from replication topology, please wait...
ipa: ERROR: Server removal aborted: Deleting this server is not allowed as it would leave
your installation without a KRA..
I think the message is wrong:
[root@freeipa1 ~]# ipa server-role-find --role="KRA server" --status=enabled
----------------------
4 server roles matched
----------------------
Server name:
freeipa1.example.org
Role name: KRA server
Role status: enabled
Server name:
freeipa2.example.org
Role name: KRA server
Role status: enabled
Server name:
freeipa3.example.org
Role name: KRA server
Role status: enabled
Server name:
freeipa4.example.org
Role name: KRA server
Role status: enabled
----------------------------
Number of entries returned 4
----------------------------
I had a took at plugins/server.py:
509 if self.api.Command.ca_is_enabled()['result']:
510 try:
511 roles = self.api.Command.server_role_find(
512 server_server=hostname,
=====> Do we really need to search for the hostname here? We will
always find out that there is only one server left... When I remove
that parameter deletion would continue - but I didn't really run the
rest of the deletion yet.
ipa server-role-find --server=freeipa4.example.org --role="KRA server"
really returns one entry.
513 role_servrole='KRA server',
514 status='enabled',
515 include_master=True,
516 )['result']
517 except errors.NotFound:
518 roles = ()
519 if len(roles) == 1 and roles[0]['server_server'] == hostname:
520 handler(
521 _("Deleting this server is not allowed as it would "
522 "leave your installation without a KRA."),
523 ignore_last_of_role)
The commit that added the code was
https://github.com/freeipa/freeipa/commit/10bd66dd1a14fc0bd39c489d0d0af76...
and should fix
https://pagure.io/freeipa/issue/8397
Do I miss something else?
Jochen
--
This space is intentionally left blank.