[Freeipa-users] replica failed to uninstall cleanly

Rob Crittenden rcritten at redhat.com
Fri Jun 29 15:00:11 UTC 2012 

David Spångberg wrote:
> Hello
>
> I have a problem similar to the problem George He talked about last week
> in this mailing list:
>
> - http://article.gmane.org/gmane.linux.redhat.freeipa.user/4895
>
> Basically I have a ipa master running and wanted to setup a replica.
> However the CA installation step failed and the `ipa-replica-install'
> script informed me to perform a `ipa-server-install --uninstall' which I
> did. I then ran `ipa-replica-install' without the `--setup-ca' flag
> thinking I could use `ipa-ca-install' later.
>
> I got informed that the host already existed on the master and to run
> `ipa-replica-manage del' to remove it. If I remember correctly this
> command failed complaining about not being able to connect to the ldap
> service. I then tried and failed with the `--force' flag which was
> discussed in George He:s thread. This is how it looks like for me now:
>
> At the replica server:
>> $ ipa-replica-install /var/lib/ipa/replica-info-ipa2.example.com.gpg
>> ...
>> The host ipa2.example.com already exists on the master server. Depending
> on your configuration, you may perform the following:
>>
>> Remove the replication agreement, if any:
>>      % ipa-replica-manage del ipa2.example.com
>> Remove the host entry:
>>      % ipa host-del ipa2.example.com
>
> At the master server:
>> $ ipa-replica-manage list
>> ipa2.example.com: master
>> ipa.example.com: master
>
>> $ ipa-replica-manage del ipa2.example.com
>> 'ipa.example.com' has no replication agreement for 'ipa2.example.com'
>
>> $ ipa-replica-manage --force ipa2.example.com
>> 'ipa.example.com' has no replication agreement for 'ipa2.example.com'
>
>> $ ipa host-del ipa2.drutt.com
>> ipa: ERROR: invalid 'hostname': An IPA master host cannot be deleted or
> disabled
>
> It seems like `ipa-replica-manage' succeeded to remove just enough
> entries in the ldap service to fool the `ipa-replica-manage del' command
> but not enough to really uinstall it. Checking the output of for example
> `ldapsearch -D "cn=Directory Manager" -w pass -LLL -x cn=ipa-http-delegation'
> seems to confirm this.

There is a bug in the installer that if tomcat never starts we don't 
record the fact that the CA was ever created causing the uninstall to be 
incomplete. It is unclear whether this is the same problem.

This is unrelated to ipa-replica-manage, it never did anything (no 
replication agreement).

You are searching in the wrong location for IPA masters, try this instead:

ldapsearch -D "cn=Directory Manager" -w pass -LLL -x -b 
cn=masters,cn=ipa,cn=etc,dc=example,dc=com

My guess is there will be just a CA entry for replica2. Use ldapdelete 
to remove any entries for replica2 and you should be able to install.

Note that trying to install IPA then adding the CA when the previous 
attempt failed is not likely to succeed either. The underlying reason 
why the CA install failed needs to be addressed.

rob

More information about the Freeipa-users mailing list