Hello,
I'm having trouble to set the IPA domain level to 1.
When I run the command:
ipa domainlevel-set 1 ipa: ERROR: Domain Level cannot be raised to 1, existing replication conflicts have to be resolved.
At the moment we have just two IPA server.
I have tried to uninstall all replicas, keeping only first ipa master, but the same error occurred.
While running only one IPA server without any replica, I used ipa-replica-manage list-ruv and clean-ruv to delete all RUVs, but was still unable to raise the domain level.
OS: RHEL 7.3, updated to last IPA version ipa-server-4.4.0-14.
First version of IPA server installed was on RHEL 7.2, then updated to RHEL 7.3.
This is described in RHBA-2017:0089-1
Previously, if an Identity Management (IdM) upgrade ran simultaneously on multiple servers, replication conflict entries were sometimes generated in the "cn=topology" subtree.
So if I understand it right, there is a new check implemented which prevents raising domain level when this happens.
So my question is what can I do to get rid of "conflict entries" and raise domain level ?
Thanks,
Jan Karásek
On 10.07.2017 18:26, Jan Karásek via FreeIPA-users wrote:
Hello,
I'm having trouble to set the IPA domain level to 1.
When I run the command:
ipa domainlevel-set 1 ipa: ERROR: Domain Level cannot be raised to 1, existing replication conflicts have to be resolved.
At the moment we have just two IPA server.
I have tried to uninstall all replicas, keeping only first ipa master, but the same error occurred.
While running only one IPA server without any replica, I used ipa-replica-manage list-ruv and clean-ruv to delete all RUVs, but was still unable to raise the domain level.
OS: RHEL 7.3, updated to last IPA version ipa-server-4.4.0-14.
First version of IPA server installed was on RHEL 7.2, then updated to RHEL 7.3.
This is described in RHBA-2017:0089-1
Previously, if an Identity Management (IdM) upgrade ran simultaneously on multiple servers, replication conflict entries were sometimes generated in the "cn=topology" subtree.
So if I understand it right, there is a new check implemented which prevents raising domain level when this happens.
So my question is what can I do to get rid of "conflict entries" and raise domain level ?
Thanks,
Jan Karásek _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hello,
please use this guide to resolve replication conflicts https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht...
Hi, thank you. We have 34 entries in directory with nsuniqueid in DN:
dn: cn=Kerberos Service Password Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz dn: cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz dn: cn=locations+nsuniqueid=7a711f07-d11911e6-bea49da2-866883c1,cn=etc,dc=vs,dc=example,dc=cz dn: cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz dn: cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz dn: cn=Default Service Password Policy+nsuniqueid=f683e20d-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=cas+nsuniqueid=7a711f0d-d11911e6-bea49da2-866883c1,cn=ca,dc=vs,dc=example,dc=cz dn: cn=dogtag+nsuniqueid=7a711f3e-d11911e6-bea49da2-866883c1,cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz dn: cn=Default Host Password Policy+nsuniqueid=f683e20b-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz dn: idnsserverid=tidmipa01.vs.example.cz,cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz dn: cn=System: Add CA+nsuniqueid=7a711f46-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Delete CA+nsuniqueid=7a711f4a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Modify CA+nsuniqueid=7a711f4e-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read CAs+nsuniqueid=7a711f52-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Modify DNS Servers Configuration+nsuniqueid=7a711f57-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read DNS Servers Configuration+nsuniqueid=7a711f5b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Manage Host Principals+nsuniqueid=7a711f6a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Add IPA Locations+nsuniqueid=7a711f7b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Modify IPA Locations+nsuniqueid=7a711f7f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read IPA Locations+nsuniqueid=7a711f83-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Remove IPA Locations+nsuniqueid=7a711f87-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read Locations of IPA Servers+nsuniqueid=7a711f8b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=7a711f8f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Manage Service Principals+nsuniqueid=7a711f93-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Manage User Principals+nsuniqueid=7a711fa1-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=Default Kerberos Service Password Policy+nsuniqueid=f683e211-e16a11e6-bea49da2-866883c1,cn=Kerberos Service Password Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz dn: cn=Default Password Policy+nsuniqueid=f683e215-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=Default Password Policy+nsuniqueid=f683e21b-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=Default Password Policy+nsuniqueid=f683e221-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz dn: cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz dn: cn=domain+nsuniqueid=7a711f03-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz dn: cn=ca+nsuniqueid=7a711f41-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
The guide describes how to solve dn name conflict, but I think we should have delete them. They looks like they are doubled entries just with "+nsuniqueid=.... ". For each of them I have entry without "nsuniqueid" in dn:
dn: cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz dn: cn=ipaservers,cn=ng,cn=alt,dc=vs,dc=example,dc=cz
Is that correct ?
Thanks, Jan
----- Original Message ----- From: "Martin Basti" mbasti@redhat.com To: "freeipa-users" freeipa-users@lists.fedorahosted.org Cc: "Jan Karásek" jan.karasek@elostech.cz Sent: Monday, July 10, 2017 7:09:34 PM Subject: Re: [Freeipa-users] ipa-domainlevel set 1 failed
On 10.07.2017 18:26, Jan Karásek via FreeIPA-users wrote:
Hello,
I'm having trouble to set the IPA domain level to 1.
When I run the command:
ipa domainlevel-set 1 ipa: ERROR: Domain Level cannot be raised to 1, existing replication conflicts have to be resolved.
At the moment we have just two IPA server.
I have tried to uninstall all replicas, keeping only first ipa master, but the same error occurred.
While running only one IPA server without any replica, I used ipa-replica-manage list-ruv and clean-ruv to delete all RUVs, but was still unable to raise the domain level.
OS: RHEL 7.3, updated to last IPA version ipa-server-4.4.0-14.
First version of IPA server installed was on RHEL 7.2, then updated to RHEL 7.3.
This is described in RHBA-2017:0089-1
Previously, if an Identity Management (IdM) upgrade ran simultaneously on multiple servers, replication conflict entries were sometimes generated in the "cn=topology" subtree.
So if I understand it right, there is a new check implemented which prevents raising domain level when this happens.
So my question is what can I do to get rid of "conflict entries" and raise domain level ?
Thanks,
Jan Karásek _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hello,
please use this guide to resolve replication conflicts https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht...
On 07/11/2017 03:24 PM, Jan Karásek via FreeIPA-users wrote:
Hi, thank you. We have 34 entries in directory with nsuniqueid in DN:
dn: cn=Kerberos Service Password Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz dn: cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz dn: cn=locations+nsuniqueid=7a711f07-d11911e6-bea49da2-866883c1,cn=etc,dc=vs,dc=example,dc=cz dn: cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz dn: cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz dn: cn=Default Service Password Policy+nsuniqueid=f683e20d-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=cas+nsuniqueid=7a711f0d-d11911e6-bea49da2-866883c1,cn=ca,dc=vs,dc=example,dc=cz dn: cn=dogtag+nsuniqueid=7a711f3e-d11911e6-bea49da2-866883c1,cn=custodia+nsuniqueid=7a711f3c-d11911e6-bea49da2-866883c1,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz dn: cn=Default Host Password Policy+nsuniqueid=f683e20b-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz dn: idnsserverid=tidmipa01.vs.example.cz,cn=servers+nsuniqueid=7a711fb5-d11911e6-bea49da2-866883c1,cn=dns,dc=vs,dc=example,dc=cz dn: cn=System: Add CA+nsuniqueid=7a711f46-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Delete CA+nsuniqueid=7a711f4a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Modify CA+nsuniqueid=7a711f4e-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read CAs+nsuniqueid=7a711f52-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Modify DNS Servers Configuration+nsuniqueid=7a711f57-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read DNS Servers Configuration+nsuniqueid=7a711f5b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Manage Host Principals+nsuniqueid=7a711f6a-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Add IPA Locations+nsuniqueid=7a711f7b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Modify IPA Locations+nsuniqueid=7a711f7f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read IPA Locations+nsuniqueid=7a711f83-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Remove IPA Locations+nsuniqueid=7a711f87-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read Locations of IPA Servers+nsuniqueid=7a711f8b-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Read Status of Services on IPA Servers+nsuniqueid=7a711f8f-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Manage Service Principals+nsuniqueid=7a711f93-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=System: Manage User Principals+nsuniqueid=7a711fa1-d11911e6-bea49da2-866883c1,cn=permissions,cn=pbac,dc=vs,dc=example,dc=cz dn: cn=Default Kerberos Service Password Policy+nsuniqueid=f683e211-e16a11e6-bea49da2-866883c1,cn=Kerberos Service Password Policy+nsuniqueid=f683e20f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz dn: cn=Default Password Policy+nsuniqueid=f683e215-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e213-e16a11e6-bea49da2-866883c1,cn=computers,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=Default Password Policy+nsuniqueid=f683e21b-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e219-e16a11e6-bea49da2-866883c1,cn=services,cn=accounts,dc=vs,dc=example,dc=cz dn: cn=Default Password Policy+nsuniqueid=f683e221-e16a11e6-bea49da2-866883c1,cn=cosTemplates+nsuniqueid=f683e21f-e16a11e6-bea49da2-866883c1,cn=VS.CSINT.CZ,cn=kerberos,dc=vs,dc=example,dc=cz dn: cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz dn: cn=domain+nsuniqueid=7a711f03-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz dn: cn=ca+nsuniqueid=7a711f41-d11911e6-bea49da2-866883c1,cn=topology,cn=ipa,cn=etc,dc=vs,dc=example,dc=cz
The guide describes how to solve dn name conflict, but I think we should have delete them. They looks like they are doubled entries just with "+nsuniqueid=.... ". For each of them I have entry without "nsuniqueid" in dn:
dn: cn=ipaservers+nsuniqueid=7a711efc-d11911e6-bea49da2-866883c1,cn=ng,cn=alt,dc=vs,dc=example,dc=cz dn: cn=ipaservers,cn=ng,cn=alt,dc=vs,dc=example,dc=cz
Is that correct ?
the guide covers scenarios where you want to keep both entries or the conflict entry. If you just have a "valid" entry and a "conflict" entry as duplicate you can delete the conflict directly.
Thanks, Jan
----- Original Message ----- From: "Martin Basti" mbasti@redhat.com To: "freeipa-users" freeipa-users@lists.fedorahosted.org Cc: "Jan Karásek" jan.karasek@elostech.cz Sent: Monday, July 10, 2017 7:09:34 PM Subject: Re: [Freeipa-users] ipa-domainlevel set 1 failed
On 10.07.2017 18:26, Jan Karásek via FreeIPA-users wrote:
Hello,
I'm having trouble to set the IPA domain level to 1.
When I run the command:
ipa domainlevel-set 1 ipa: ERROR: Domain Level cannot be raised to 1, existing replication conflicts have to be resolved.
At the moment we have just two IPA server.
I have tried to uninstall all replicas, keeping only first ipa master, but the same error occurred.
While running only one IPA server without any replica, I used ipa-replica-manage list-ruv and clean-ruv to delete all RUVs, but was still unable to raise the domain level.
OS: RHEL 7.3, updated to last IPA version ipa-server-4.4.0-14.
First version of IPA server installed was on RHEL 7.2, then updated to RHEL 7.3.
This is described in RHBA-2017:0089-1
Previously, if an Identity Management (IdM) upgrade ran simultaneously on multiple servers, replication conflict entries were sometimes generated in the "cn=topology" subtree.
So if I understand it right, there is a new check implemented which prevents raising domain level when this happens.
So my question is what can I do to get rid of "conflict entries" and raise domain level ?
Thanks,
Jan Karásek _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hello,
please use this guide to resolve replication conflicts https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/ht...
freeipa-users@lists.fedorahosted.org
-
Jan Karásek -
Ludwig Krispenz -
Martin Bašti