Dear FreeIPA Community, We're having a problem joining a host to an IPA realm.
We created a host account in the realm and added that host to the IPA replicas group. We installed the ipa-client and ipa-server RPMS on the incoming replica (host2). Using ipa-client-install then used ipa-replica-install to upgrade it to a replica, the data replication phase inside the replica-install process failed because the time on the replica was many hours in advance of the existing master/replica in the realm. In other failed installs where this occurs (typically VM development environments where snapshotting is frequent), we've had success forcing removal of the failed replica using ipa host-del <hostname> --force, or of necessary a 'ipa-replica-manage clean-dangling-ruv' or 'ipa-replica-manage clean-ruv <n>' to help remove left-over data. Should that fail, manually removing the LDAP entry corresponding to the incoming host is necessary, the stale entry is; cn=meTohost2.system,cn=replica,cn=dc\3Dsystem,cn=mapping tree,cn=config When we attempt to delete that entry in the LDAP tree, 389-ds rejects the operation and logs the message; "RESULT err=53 tag=107 nentries=0 etime=0.0002043881 - Entry is managed by topology plugin.Deletion not allowed". How can we remove data from the replica to attempt to re-join the failed host? Both the incoming replica and existing realm master/replica are running CentOS 7.6; ipa-client-4.6.4-10.el7.centos.3.x86_64 ipa-client-common-4.6.4-10.el7.centos.3.noarch ipa-common-4.6.4-10.el7.centos.3.noarch ipa-server-4.6.4-10.el7.centos.3.x86_64 ipa-server-common-4.6.4-10.el7.centos.3.noarch Thanks in advance, Rob CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient and may contain material that is proprietary, confidential, privileged or otherwise legally protected or restricted under applicable government laws. Any review, disclosure, distributing or other use without expressed permission of the sender is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies without reading, printing, or saving.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
