Hi,
the recommended way to uninstall a replica and reinstall it is described in
the doc:
1. Uninstall the replica (
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/Uninstalling_IPA_Servers)
with ipa server-del and ipa-server-install --uninstall
2. re-install the replica as if it was a new one:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/creating-the-replica
Was there any reason to backup files and restore them? The replica
installation should re-create everything.
flo
On Wed, May 26, 2021 at 7:32 AM Robert.Mattson--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Dear Community,
>
>
>
> I'd like to uninstall and reinstall IPA from a CentOS box because its
> easier than reinstalling the OS completely.
>
> We have a number of replicas, and this host is installed using
> ipa-client-install and then ipa-replica-install.
>
> To remove it, I backup some data like
> /var/kerberos/krb5kdc/{cacert.pem,kd*} and /etc/httpd/conf/password.conf
>
> and then run '/usr/sbin/ipa-server-install --uninstall -U
> --ignore-topology-disconnect'.
>
> I then sed '/Environment=K/d', '/ExecStartPre/d', '/ExecStopPost/d'
> /etc/systemd/system/httpd.service
>
>
>
> I recreate the host-account on another replica using ipa host-add, then
> ipa hostgroup-add-member.
>
>
>
> On the now-removed host, I do some housekeeping like restoring the backed
> up files and then I run;
>
> /usr/sbin/ipa-client-install \
>
> --password=${otp} \
>
> --mkhomedir \
>
> --no-ntp \
>
> --unattended \
>
> --domain=realm.name \
>
> --realm=REALM.NAME \
>
> --ca-cert-file=/etc/pki/ca-trust/source/ca.crt
>
>
>
> then
>
>
>
> /usr/sbin/ipa-replica-install \
>
> --dirsrv-cert-file=/etc/pki/tls/private/ipa.pkcs12 \
>
> --http-cert-file=/etc/pki/tls/private/ipa.pkcs12 \
>
> --dirsrv-pin=pwd \
>
> --http-pin=pwd \
>
> --unattended \
>
> --no-pkinit \
>
> --no-ntp
>
>
>
> I seem to get the following keytab request problem followed by dirsrv
> failure. from ipa-replica-install (4.6.4-10.el7.centos.3.x86_64). If I
> upgrade to 4.6.8-5.el7.centos.4.noarch.rpm, I get the same problem.[1]
>
> On serverb, the host which receives the binding request for the reinstall,
> I get permission denied the bind dn “” does not have permission in dirsrv
> error log…?
>
>
>
> Does anyone have any thoughts,
>
>
>
> Cheers and many thanks in advance,
>
> Rob
>
>
>
>
>
> [1]
>
> 2021-05-26T02:50:56Z DEBUG Backing up system configuration file
> '/etc/httpd/conf.d/ipa.conf'
>
> 2021-05-26T02:50:56Z DEBUG -> Not backing up -
> '/etc/httpd/conf.d/ipa.conf' doesn't exist
>
> 2021-05-26T02:50:56Z DEBUG Backing up system configuration file
> '/etc/httpd/conf.d/ipa-rewrite.conf'
>
> 2021-05-26T02:50:56Z DEBUG -> Not backing up -
> '/etc/httpd/conf.d/ipa-rewrite.conf' doesn't exist
>
> 2021-05-26T02:50:56Z DEBUG duration: 0 seconds
>
> 2021-05-26T02:50:56Z DEBUG [10/21]: setting up httpd keytab
>
> 2021-05-26T02:50:56Z DEBUG raw: service_add(u'HTTP/
> servera.sys...@realm.name', force=True, version=u'2.230')
>
> 2021-05-26T02:50:56Z DEBUG service_add(ipapython.kerberos.Principal('HTTP/
> servera.sys...@realm.name'), force=True, all=False, raw=False,
> version=u'2.230', no_members=False)
>
> 2021-05-26T02:50:56Z DEBUG flushing
> ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket from SchemaCache
>
> 2021-05-26T02:50:56Z DEBUG retrieving schema for SchemaCache
> url=ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0d29f50368>
>
> 2021-05-26T02:50:57Z DEBUG raw: host_show(u'servera.system',
> version=u'2.230')
>
> 2021-05-26T02:50:57Z DEBUG host_show(u'servera.system', rights=False,
> all=False, raw=False, version=u'2.230', no_members=False)
>
> 2021-05-26T02:50:57Z DEBUG Backing up system configuration file
> '/var/lib/ipa/gssproxy/http.keytab'
>
> 2021-05-26T02:50:57Z DEBUG -> Not backing up -
> '/var/lib/ipa/gssproxy/http.keytab' doesn't exist
>
> 2021-05-26T02:50:57Z DEBUG Starting external process
>
> 2021-05-26T02:50:57Z DEBUG args=/usr/sbin/ipa-getkeytab -k
> /var/lib/ipa/gssproxy/http.keytab -p HTTP/servera.sys...@realm.name -H
> ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL
>
> 2021-05-26T02:50:57Z DEBUG Process finished, return code=9
>
> 2021-05-26T02:50:57Z DEBUG stdout=
>
> 2021-05-26T02:50:57Z DEBUG stderr=Failed to parse result: unsupported
> extended operation
>
> Retrying with pre-4.0 keytab retrieval method...
>
> Failed to parse result: unsupported extended operation
>
> Failed to get keytab!
>
> Failed to get keytab
>
>
>
> 2021-05-26T02:50:57Z DEBUG Traceback (most recent call last):
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 570, in start_creation
>
> run_step(full_msg, method)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 560, in run_step
>
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line
> 637, in request_service_keytab
>
> super(HTTPInstance, self).request_service_keytab()
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 742, in request_service_keytab
>
> self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 732, in run_getkeytab
>
> ipautil.run(args, nolog=nolog)
>
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562,
> in run
>
> raise CalledProcessError(p.returncode, arg_string, str(output))
>
> CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k
> /var/lib/ipa/gssproxy/http.keytab -p HTTP/servera.sys...@realm.name -H
> ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL' returned
> non-zero exit status 9
>
>
>
> 2021-05-26T02:50:57Z DEBUG [error] CalledProcessError: Command
> '/usr/sbin/ipa-getkeytab -k /var/lib/ipa/gssproxy/http.keytab -p
> HTTP/servera.sys...@realm.name -H
> ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL' returned
> non-zero exit status 9
>
> 2021-05-26T02:50:57Z DEBUG File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> execute
>
> return_value = self.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line
> 319, in run
>
> return cfgr.run()
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line
> 364, in run
>
> return self.execute()
>
> exc_handler(exc_info)
>
> <snip />
>
> File "/usr/lib/python2.7/site-packages/ipapython/install/common.py",
> line 65, in _install
>
> for unused in self._installer(self.parent):
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py",
> line 622, in main
>
> replica_install(self)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 406, in decorated
>
> func(installer)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 1487, in install
>
> fstore=fstore)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py",
> line 173, in install_http
>
> subject_base=config.subject_base, master_fqdn=config.master_host_name)
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line
> 188, in create_instance
>
> self.start_creation()
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 570, in start_creation
>
> run_step(full_msg, method)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 560, in run_step
>
> method()
>
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py", line
> 637, in request_service_keytab
>
> super(HTTPInstance, self).request_service_keytab()
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 742, in request_service_keytab
>
> self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
>
> File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
> line 732, in run_getkeytab
>
> ipautil.run(args, nolog=nolog)
>
> File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 562,
> in run
>
> raise CalledProcessError(p.returncode, arg_string, str(output))
>
>
>
> 2021-05-26T02:50:57Z DEBUG The ipa-replica-install command failed,
> exception: CalledProcessError: Command '/usr/sbin/ipa-getkeytab -k
> /var/lib/ipa/gssproxy/http.keytab -p HTTP/servera.sys...@realm.name -H
> ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL' returned
> non-zero exit status 9
>
> 2021-05-26T02:50:57Z ERROR Command '/usr/sbin/ipa-getkeytab -k
> /var/lib/ipa/gssproxy/http.keytab -p HTTP/servera.sys...@realm.name -H
> ldapi://%2Fvar%2Frun%2Fslapd-REALM-NAME.socket -Y EXTERNAL' returned
> non-zero exit status 9
>
> 2021-05-26T02:50:57Z ERROR The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>
>
>
>
>
> [2]
>
> [26/May/2021:12:50:47.240285166 +1000] - WARN - NSMMReplicationPlugin -
> repl5_inc_run - agmt="cn=meToservera.system" (servera:389): The remote
> replica has a different database generation ID than the local database.
> You may have to reinitialize the remote replica, or the local replica.
>
> [26/May/2021:12:50:47.858057379 +1000] - INFO - NSMMReplicationPlugin -
> repl5_tot_run - Beginning total update of replica
> "agmt="cn=meToservera.system" (servera:389)".
>
> [26/May/2021:12:50:50.679652092 +1000] - INFO - NSMMReplicationPlugin -
> repl5_tot_run - Finished total update of replica
> "agmt="cn=meToservera.system" (servera:389)". Sent 582 entries.
>
> [26/May/2021:12:50:52.158394667 +1000] - ERR - NSMMReplicationPlugin -
> acquire_replica - agmt="cn=meToservera.system" (servera:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have permission
> to supply replication updates to the replica. Will retry later.
>
> [26/May/2021:12:50:55.079367688 +1000] - ERR - NSMMReplicationPlugin -
> acquire_replica - agmt="cn=meToservera.system" (servera:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have permission
> to supply replication updates to the replica. Will retry later.
>
> [26/May/2021:12:50:58.084381230 +1000] - ERR - NSMMReplicationPlugin -
> acquire_replica - agmt="cn=meToservera.system" (servera:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have permission
> to supply replication updates to the replica. Will retry later.
>
> [26/May/2021:12:51:01.092727541 +1000] - ERR - NSMMReplicationPlugin -
> acquire_replica - agmt="cn=meToservera.system" (servera:389): Unable to
> acquire replica: permission denied. The bind dn "" does not have permission
> to supply replication updates to the replica. Will retry later.
>
>
>
>
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole
> use of the intended recipient and may contain material that is proprietary,
> confidential, privileged or otherwise legally protected or restricted under
> applicable government laws. Any review, disclosure, distributing or other
> use without expressed permission of the sender is strictly prohibited. If
> you are not the intended recipient, please contact the sender and delete
> all copies without reading, printing, or saving.
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
