[Freeipa-users] What to do next???: IPA replica host entry is removed on web UI by mistake

Wed May 16 20:11:24 UTC 2012

David Copperfield wrote:
> Hi all,
>
> I accidentally removed one of my IPA replica host on IPA web UI by
> mistake, on the host list I planed to remove ipaclient02.example.com,
> but accidentally the mouse moved to ipareplica02.example.com and the
> latter got removed without a prompt.
>
> I realized the mistake and tried to recover from this disaster but it
> was already too late, the change propagated to all the replicas and the
> poor ipareplica02 now stops functioning.
>
> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa service-find
> ipa: ERROR: cannot connect to
> u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa user-find
> ipa: ERROR: cannot connect to
> u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
> [root at ipareplica02 slapd-EXAMPLE-COM]# ipa host-find
> ipa: ERROR: cannot connect to
> u'https://ipareplica02.qe9.jigsaw.com/ipa/xml': Internal Server Error
> [root at ipareplica02 slapd-EXAMPLE-COM]#
>
> On the IPA master, It was found that ipareplica02 didn't show up in
> 'host-find' list or 'service-find' list. Though it still showed in the
> master list reported by 'ipa-replica-manage' and 'ipa-csreplica-manage',
> the real command 'ipa-replica-manage list ipareplica02' fails with LDAP
> could't reach error.
>
> What should I do now? Is there are any other ways to recover besides
> uninstall and reinstall of IPA replica ipareplica02?
>
> BTW, it will be more than appreciated if the web UI could pop up a
> warning prompt when removing host/services entries associated with IPA
> masters and IPA replicas.
> Thanks.
>
> --David

On a working master try re-creating the host and re-adding the services. 
You'll probably want to use the fqdn in places of ipareplica02 here. The 
case of the services is important. I'm assuming this master is not 
running dogtag or DNS.

# ipa host-add ipareplica02
# ipa service-add ldap/ipareplica02
# ipa service-add HTTP/ipareplica02
# mkdir /tmp/ipareplica02
# ipa-getkeytab -s <master> -k /tmp/ipareplica02/ds.keytab -p 
ldap/ipareplica02
# ipa-getkeytab -s <master> -k /tmp/ipareplica02/ipa.keytab -p 
HTTP/ipareplica02

Copy these files to ipareplica02.

ds.keytab goes in /etc/dirsrv/
ipa.keytab goes in /etc/httpd/conf/

I'd run restorecon on both.

Perms should be 0600 dirsrv:dirsrv on ds.keytab
0600 root:root on ipa.keytab

# ipactl restart

You'll need to restart the dirsrv service (or ipactl restart) on all 
your other masters to pick up the new ldap service principal.

In theory you should have a working system again. The only downside is 
the certs being used aren't reflected in your service entries any more. 
I don't believe this will affect automated renewal so if you don't care 
about that you're done.

If you are using dogtag as your CA your SSL certs have been revoked though.

To fix this we can try to get certmonger to refresh them.

# ipa-getcert list
find the ID for the /etc/dirsrv/slapd-<YOURINSTANCE> cert
# ipa-getcert resubmit -i <ID>

Run ipa-getcert list again to see the status. It should be MONITORING 
and the expires date should have changed.

Assuming that worked do the same for the Apache cert (in /etc/httpd/alias).

Restart dirsrv and httpd services or ipactl restart.

We block deleting master hosts and services in FreeIPA 2.2.

rob