Jernej Jakob wrote: > On Wed, 1 Feb 2023 10:00:56 -0500 > Rob Crittenden <[email protected]> wrote: >> >> Since the ipa3 installation failed I'd start by uninstalling the remnants. >> >> You can use ipa-replica-manage dnarange-set on ipa2 to set the range to >> cover your entire range. I'd encourage you to find the highest value >> already used just to over a bunch of overlap searching in the DNA plugin. >> >> You can get a rough estimate of the last issued value with a search like: >> >> ldapsearch -LLL -Q -Y GSSAPI -b cn=accounts,dc=example,dc=test uidnumber >> gidnumber | cut -d: -f2 | sort -un >> >> If you want to test it before trying another replica install create a >> test user or group and it should get an uid/gid. >> >> On the next replica install it should give the new server half the >> remaining range. >> >> rob >> > > Thanks. I managed to install the replica successfully. > > The ldapsearch command showed there were two ranges of used ID's. > 792600000-792600036 and 792700504-792700509. (I think the first was assigned > to ipa1 - the now uninstalled replica, the second to ipa2) > So I chose 792600040-792700499 as dnarange for ipa2. > I also set 792700510-792799999 as dnanextrange for ipa2. > > Then I could add the new replica with no problem. It chose > 792750501-792799999 as the range for the new replica, taken from dnanextrange > for ipa2. I don't think that will be a problem as I'm very unlikely to > ever need more ID's. > > I also had a problem when uninstalling the failed replica from the > last attempt that ended at this "Failed to add fallback group." error. > I had done this a couple times before (due to other errors) and always > used the procedure: > - 'ipa-server-install --uninstall' > - on ipa2: 'ipa-replica-manage clean-dangling-ruv' (as there were > always leftover RUVs that the uninstall didn't delete) > - checked there wasn't a leftover topology or server > - then re-ran ipa-client-install and ipa-replica-install. > > This time the 'clean-dangling-ruv' step did not complete. > It removed the RUV for 'domain' but could not delete the 'ca' RUV. > Unfortunately the slapd error log got rotated which deleted the error > in question but I know it was > "Unable to acquire replica: error: duplicate replica ID detected" from > my search history. > I could not find any relevant info on this ruv cleanup error. > I tried cancelling and resubmitting the cleanup but it never succeeded. > So I restored the server to a snapshot I made a couple days ago before > I started trying to add a new replica. After this I was able to install > the replica successfully. > > I also registered on the Red Hat Customer Portal which allowed me to > view the knowledgebase docs. They were helpful in pointing me to > relevant docs pages. > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/adjusting-id-ranges-manually_configuring-and-managing-idm >
Glad you got it working. For future knowledge, there are also list-ruv and clean-ruv options to ipa-replica-manage to help ferret out invalid RUVs individually. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
