[Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake

JR Aquino JR.Aquino at citrix.com
Wed May 16 19:57:46 UTC 2012 

On May 16, 2012, at 12:23 PM, David Copperfield wrote:

> Hi all,
> 
>  I accidentally removed one of my IPA replica host on IPA web UI by mistake, on the host list I planed to remove ipaclient02.example.com, but accidentally the mouse moved to ipareplica02.example.com and the latter got removed without a prompt.
> 
> I realized the mistake and tried to recover from this disaster but it was already too late, the change propagated to all the replicas and the poor ipareplica02 now stops functioning.
> 
> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find
> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find
> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find
> ipa: ERROR: cannot connect to u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
> [root at ipareplica02 slapd-EXAMPLE-COM]# 
> 
> On the IPA master, It was found that ipareplica02 didn't show up in 'host-find' list or 'service-find' list. Though it still showed in the master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage', the real command 'ipa-replica-manage list ipareplica02' fails with LDAP could't reach error.
> 
> What should I do now? Is there are any other ways to recover besides uninstall and reinstall of IPA replica ipareplica02?
> 
>  BTW, it will be more than appreciated if the web UI could pop up a warning prompt when removing host/services entries associated with IPA masters and IPA replicas. 

Been there... Done that... The bug is fixed in 2.2... It will prompt and prevent you from deleting a replica host if there is an agreement.

To clean up...

0. On the master replica: ipa-replica-manage del ipareplica02.example.com --force
-This will delete the replica agreement for the host.

1. $ ldapsearch -xLLL -D "cn=directory manager" -W -b dc=example,dc=com \
 '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'

Look for your your nsds50ruv that matches your ghost replica.

2. Create an ldif following the directions here: http://directory.fedoraproject.org/wiki/Howto:CLEANRUV
Something like:

$ cat cleanup.ldif
dn: cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
replace: nsds5task
nsds5task: CLEANRUV## <- ## == The ReplicaID number for the ghost replica.

3. Run on all of the remaining replicas: ldapmodify -x -D "cn=directory manager" -W -f fixed.ldif
- This removes the ghost entry.

4. on the broken replica: ipa-server-install --uninstall

5. Follow the normal directions for 'installing a replica'
- on master: ipa-replica-prepare ipareplica02.example.com
- scp /path/to/ipareplica02.example.com.gpg  ipareplica02.example.com: ipareplica02.example.com.gpg
- on replica: ipa-replica-install  ipareplica02.example.com --whatever_options_you_used_previously

6. Check to make sure the server was built correctly and command work as expected: kinit admin, ipa user-find, ipa host-find, id admin, etc etc

7. Sigh and drink coffee

> Thanks.
> 
> --David
> From: Rich Megginson <rmeggins at redhat.com>
> To: Ben Ho <ben13ho at hotmail.com> 
> Cc: freeipa-users at redhat.com 
> Sent: Tuesday, May 15, 2012 5:33 PM
> Subject: Re: [Freeipa-users] Help with ipa-replica-manage
> 
> On 05/15/2012 02:49 PM, Ben Ho wrote:
>> This is the information I retrieved about my server.
>> 
>> ipa-server-selinux-2.1.3-9.el6.x86_64
>> ipa-client-2.1.3-9.el6.x86_64
>> ipa-server-2.1.3-9.el6.x86_64
>> CentOS release 6.2
>> 389-ds-base-1.2.9.14-1.el6_2.2.x86_64
>> 
>> Thanks again.
> 
> Is replication otherwise working?
> 
>> 
>> -Ben
>> 
>> Date: Tue, 15 May 2012 13:15:46 -0600
>> From: rmeggins at redhat.com
>> To: ben13ho at hotmail.com
>> CC: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Help with ipa-replica-manage
>> 
>> On 05/15/2012 01:00 PM, Ben Ho wrote:
>> Hello,
>>   I am pretty new to IPA.  Right now I have three servers that are running IPA.  I am trying to replicate one server to two other servers.  I use this command:
>> 
>> ipa-replica-manage re-initialize --from example2.edu
>> 
>>   On the first server I need to replicate, it works fine.  However, on the second server I get this message in my log files.  The errors get printed out once every 1 to 5 minutes.
>> 
>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Schema replication update failed: Type or value exists
>> [15/May/2012:14:22:43 -0400] NSMMReplicationPlugin - agmt="cn=meToexample1.edu" (example1:389): Warning: unable to replicate schema: rc=1
>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Schema replication update failed: Type or value exists
>> [15/May/2012:14:22:47 -0400] NSMMReplicationPlugin - agmt="cn=meToexample2.edu" (example2:389): Warning: unable to replicate schema: rc=1
>> 
>> 
>>   Again, I am pretty new to this, so any help or tips would be appreciated.
>> 
>> What platform and what version of 389-ds-base and ipa-server for all of your servers?
>> 
>> 
>>   Thanks!
>> 
>> -Ben
>> 
>> 
>> 
>> _______________________________________________
>> Freeipa-users mailing list
>> 
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list