[Freeipa-users] Loss of initial master in multi master setup

Rob Crittenden rcritten at redhat.com
Thu Dec 1 14:38:16 UTC 2016 

Martin Babinsky wrote:
> On 12/01/2016 01:28 PM, Neal Harrington | i-Neda Ltd wrote:
>> Hi IPA Gurus,
>>
>>
>> I had a 3 site multi master IPA replication setup (1 office and 2
>> datacentres) with 2 IPA servers at each site. Each server was
>> replicating successfully to 3 other servers (the other local site server
>> and one server at each of the two remote sites). Everything is running
>> on the default packages from CentOS 7.2 and each server is a full
>> replica (ipa-replica-install
>> /var/lib/ipa/replica-info-id-myserver.fqdn.com.gpg  --setup-ca
>> --setup-dns --mkhomedir --forwarder 8.8.8.8)
>>
>>
>> Everything was ticking over nicely until we had notice that the
>> office site was moving on short notice.
>>
>>
>> I successfully created IPA servers at the new site, setup replication
>> again between the new office and the two datacentres that were to remain
>> online, tested and everything worked as expected - unfortunately in the
>> rush I did not have time to properly retire the IPA servers in the old
>> office.
>>
>>
>> The problem this has caused is that I only ever created users in one of
>> the IPA servers in the original office - so only those servers have a
>> DNA range and I am now unable to create new users on the active servers.
>> The original office servers are still in the IPA replication and powered
>> on but offline so potential split brain?
>>
>>
>> I now have two things I would like to know before proceeding:
>>
>>   * Is the best fix here to force remove the original IPA servers and
>>     manually add a new dna range significantly different from the
>>     original to avoid overlaps?
>>   * Is there anything else I should check? I can't see any issues
>>     however did not notice the DNA range until I tried to create a user.
>>
>> Any pointers greatly appreciated.
>>
>>
>> Thanks,
>>
>> Neal.
>>
>>
>>
>>
>>
>>
> 
> Hi Neal,
> 
> If you already disconnected/decomissioned the old masters then I thnk
> the best you can do is option a, i.e. re-set DNA ranges on replicas to
> new values while avioding overlap with old ranges.
> 
> We have an upstream document[1] describing the procedure. Hope it helps.
> 
> Also make sure that you migrated CA renewal and CRL master
> responsibilities to the new replicas, otherwise you may get problems
> with expiring certificates which are really hard to solve. See the
> following guide for details. [2]
> 
> [1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges
> [2] http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
> 

You may want to look at this too, http://blog-rcritten.rhcloud.com/?p=50

rob

More information about the Freeipa-users mailing list