On 8/19/20 9:52 PM, Konstantin M. Khankin via FreeIPA-users wrote:
TL;DR: Unfortunately this doesn't help. I see this on Replica when
running 'ipa-server-install
--uninstall': u'nsds5replicaLastUpdateStatus': ['Error (19) Replication
error acquiring replica: Replica has different database generation ID,
remote replica may need to be initialized (RUV error)']. Does this give
any hints?
[root@leader ~]# kinit admin
Password for admin@DOMAIN:
[root@leader ~]# ipa server-del Replica
Removing Replica from replication topology, please wait...
ipa: ERROR: Replica: server not found
[root@leader ~]# ipa server-del Replica.domain
Removing Replica.domain from replication topology, please wait...
ipa: ERROR: Replica.domain: server not found
[root@leader ~]# ipa host-del Replica
ipa: ERROR: Replica: host not found
[root@leader ~]# ipa host-del Replica.domain
ipa: ERROR: Replica.domain: host not found
[root@leader ~]# ipa-replica-manage list
Leader.domain: master
[root@replica ~]# ipa-replica-manage list
Unknown host Replica.domain: Host 'Replica.domain' does not have
corresponding DNS A/AAAA record
Hi,
can you try the following command on leader:
ipa server-del Replica.domain --force
Then as Rob suggested you can look in the LDAP server if there are any
remaining entries referring to Replica:
ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap >
/tmp/db.ldif
ldapsearch -D cn=directory\ manager -w <password> -LLL -o ldif-wrap -b
cn=config > /tmp/config.ldif
Look for "Replica.domain" in the ldif files, and if needed use
ldapmodify or you preferred ldap client tool to remove the
entries/attributes.
flo
[root@replica ~]# ipa-server-install --uninstall
This is a NON REVERSIBLE operation and will delete all data and
configuration!
It is highly recommended to take a backup of existing data and
configuration using ipa-backup utility before proceeding.
Are you sure you want to continue with the uninstall procedure? [no]: yes
[LDAPEntry(ipapython.dn.DN('cn=meToLeader.domain,cn=replica,cn=dc\=domain,cn=mapping
tree,cn=config'), {u'nsds5replicaLastInitStart': ['19700101000000Z'],
u'nsds5replicaUpdateInProgress': ['FALSE'], u'cn':
['meToLeader.domain'], u'objectClass': ['nsds5replicationagreement',
'top'], u'nsds5replicaLastUpdateEnd': ['19700101000000Z'],
u'nsDS5ReplicaRoot': ['dc=domain'], u'nsDS5ReplicaHost':
['leader.domain'], u'nsds5replicaLastUpdateStatus': ['Error (19)
Replication error acquiring replica: Replica has different database
generation ID, remote replica may need to be initialized (RUV error)'],
u'nsDS5ReplicaBindMethod': ['SASL/GSSAPI'], u'nsds5ReplicaStripAttrs':
['modifiersName modifyTimestamp internalModifiersName
internalModifyTimestamp'], u'nsds5replicaLastUpdateStart':
['19700101000000Z'], u'nsDS5ReplicaPort': ['389'],
u'nsDS5ReplicaTransportInfo': ['LDAP'], u'description': ['me to
leader.domain'], u'nsds5replicareapactive': ['0'],
u'nsds5replicaChangesSentSinceStartup': [''], u'nsds5replicaTimeout':
['120'], u'nsDS5ReplicatedAttributeList': ['(objectclass=*) $ EXCLUDE
memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth
krbloginfailedcount'], u'nsds5replicaLastInitEnd': ['19700101000000Z'],
u'nsDS5ReplicatedAttributeListTotal': ['(objectclass=*) $ EXCLUDE
entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount']})]
Replication agreements with the following IPA masters found: leader.domain.
Removing any replication agreements before uninstalling the server is
strongly
recommended. You can remove replication agreements by running the following
command on any other IPA master:
$ ipa-replica-manage del replica.domain
Are you sure you want to continue with the uninstall procedure? [no]: yes
Shutting down all IPA services
Unconfiguring ntpd
Configuring certmonger to stop tracking system certificates for KRA
Configuring certmonger to stop tracking system certificates for CA
Unconfiguring directory server
ipaserver.install.dsinstance: ERROR Unable to find server cert
nickname in /etc/dirsrv/slapd-DOMAIN/dse.ldif
Removing IPA client configuration
Removing Kerberos service principals from /etc/krb5.keytab
Disabling client Kerberos and LDAP configurations
Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to
/etc/sssd/sssd.conf.deleted
Restoring client configuration files
Unconfiguring the NIS domain.
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Systemwide CA database updated.
Client uninstall complete.
The ipa-client-install command was successful
And after that ipa-replica-install fails as before.
вт, 18 авг. 2020 г. в 23:56, Rob Crittenden <[email protected]
<mailto:[email protected]>>:
Konstantin M. Khankin via FreeIPA-users wrote:
> Hi!
>
> Bumping this thread. Anyone has any ideas?
I'd uninstall the replica and ensure that all remnants are gone with:
$ ipa server-del <host>
$ ipa host-del <host>
And if you're extra paranoid do an LDIF dump of the database sift
thru that.
rob
>
> Thanks!
>
>
> вс, 9 авг. 2020 г., 08:23 Konstantin M. Khankin
> <[email protected]
<mailto:[email protected]>
<mailto:[email protected]
<mailto:[email protected]>>>:
>
> Hi!
>
> I run IPA on CentOS 7. I have two servers (Leader and Replica,
> though they changed roles couple times because of
reinstalls), had
> ca and domain services on both of them, replication set up and
> working. I had to switch off Replica for 6 months. When I
turned it
> on recently, I found expired certificates, couldn't fix them
easily
> and lost the old Replica - at least I concluded it was easier to
> reinstate the Replica than to detangle the mess I made while was
> trying to back out of outdated certs. I hit the same error as
I do
> now though - Invalid Credentials (49).
>
> So I did the following:
>
> 1) on Replica - ipa-server-install --uninstall.
> 2) on Leader - ipa-replica-manage del --force --clean Replica.
> 3) removed obsolete replication agreement meToReplica from
Leader.
> 4) removed all traces of Replica from DNS.
>
> Then I started to install Replica from scratch:
>
> 1) ipa-client-install
> 2) ipa-replica-install --setup-ca --setup-dns --forwarder X
> --forwarder Y
>
> Installation consistently fails with:
>
> '''
> Run connection check to master
> Connection check OK
> Configuring directory server (dirsrv). Estimated time: 30 seconds
> <...>
> [29/42]: setting up initial replication
> Starting replication, please wait until this has completed.
> Update in progress, 16 seconds elapsed
> [ldap://Leader:389] reports: Update failed! Status: [Error
(49) -
> LDAP error: Invalid credentials]
>
> [error] RuntimeError: Failed to start replication
> '''
>
> Logs from Leader, /var/log/dirsrv/slapd-DOMAIN/errors:
>
> '''
> [<DATE>] - ERR - NSMMReplicationPlugin - bind_and_check_pwp -
> agmt="cn=meToReplica.domain" (Replica:389) - Replication bind
with
> GSSAPI auth failed: LDAP error 49 (Invalid credentials) ()
> """
>
> I verified clocks on both Replica and Leader - they show the same
> time (within 1-2 seconds diff window). In fact, at some point
I had
> Replica taking time straight from Leader, before they were
set up to
> use the other common source. I dumped traffic between Leader and
> Replica - indeed, Leader tried to authenticate on Replica and
> Replica replies "Invalid credentials".
>
> I googled this error and read multiple email threads but nothing
> helped so far. Replica works fine as IPA client but can't get
> promoted to a replica.
>
> What am I missing?
>
> Thanks!
>
> --
> Khankin Konstantin
>
>
> _______________________________________________
> FreeIPA-users mailing list --
[email protected]
<mailto:[email protected]>
> To unsubscribe send an email to
[email protected]
<mailto:[email protected]>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
>
--
Ханкин Константин
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
