Hi List, I have a master server that had a replica installed. The replica has been uninstalled. When I try to run "ipa-replica-manage del --force replica.server" it fails with: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
How can I delete this replica?
Thanks, Ralph
Ralph Crongeyer via FreeIPA-users wrote:
Hi List, I have a master server that had a replica installed. The replica has been uninstalled. When I try to run "ipa-replica-manage del --force replica.server" it fails with: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
How can I delete this replica?
What is your ultimate goal here? In your previous post it sounded like you are trying to create a split-brain. IPA doesn't like those and does what it can to prevent them.
rob
The goal is to remove the replica server from the master. No split brain. I need to remove this as we can't login to the portal because of this.
On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden rcritten@redhat.com wrote:
Ralph Crongeyer via FreeIPA-users wrote:
Hi List, I have a master server that had a replica installed. The replica has been uninstalled. When I try to run "ipa-replica-manage del --force replica.server" it fails with: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
How can I delete this replica?
What is your ultimate goal here? In your previous post it sounded like you are trying to create a split-brain. IPA doesn't like those and does what it can to prevent them.
rob
Can this be manually removed? W currently can't login to the web portal due to this issue.
On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer rcrongeyer@gmail.com wrote:
The goal is to remove the replica server from the master. No split brain. I need to remove this as we can't login to the portal because of this.
On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden rcritten@redhat.com wrote:
Ralph Crongeyer via FreeIPA-users wrote:
Hi List, I have a master server that had a replica installed. The replica has been uninstalled. When I try to run "ipa-replica-manage del --force replica.server" it fails with: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
How can I delete this replica?
What is your ultimate goal here? In your previous post it sounded like you are trying to create a split-brain. IPA doesn't like those and does what it can to prevent them.
rob
On 10/23/18 12:54 PM, Ralph Crongeyer via FreeIPA-users wrote:
Can this be manually removed? W currently can't login to the web portal due to this issue.
http://www.port389.org/docs/389ds/howto/howto-cleanruv.html#cleanallruv
Or you can run: cleanallruv.pl -h
HTH,
Mark
On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer <rcrongeyer@gmail.com mailto:rcrongeyer@gmail.com> wrote:
The goal is to remove the replica server from the master. No split brain. I need to remove this as we can't login to the portal because of this. On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Ralph Crongeyer via FreeIPA-users wrote: > Hi List, > I have a master server that had a replica installed. The replica has > been uninstalled. When I try to run "ipa-replica-manage del --force > replica.server" it fails with: > invalid 'PKINIT enabled server': all masters must have IPA master role > enabled > > How can I delete this replica? What is your ultimate goal here? In your previous post it sounded like you are trying to create a split-brain. IPA doesn't like those and does what it can to prevent them. rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Ralph Crongeyer via FreeIPA-users wrote:
Can this be manually removed? W currently can't login to the web portal due to this issue.
I don't understand how one master is affecting the web server of another. By design they are independent. Can you provide details on how login is failing?
rob
On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer <rcrongeyer@gmail.com mailto:rcrongeyer@gmail.com> wrote:
The goal is to remove the replica server from the master. No split brain. I need to remove this as we can't login to the portal because of this. On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Ralph Crongeyer via FreeIPA-users wrote: > Hi List, > I have a master server that had a replica installed. The replica has > been uninstalled. When I try to run "ipa-replica-manage del --force > replica.server" it fails with: > invalid 'PKINIT enabled server': all masters must have IPA master role > enabled > > How can I delete this replica? What is your ultimate goal here? In your previous post it sounded like you are trying to create a split-brain. IPA doesn't like those and does what it can to prevent them. rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
So it does allow me to login, however there is a popup that says: "Some operations failed.", and a link "View details", when I click on that it shows: "invalid 'PKINIT enabled server': all masters must have IPA master role" And there is a button that says "OK", when I click on that it shows this:
Runtime error
Web UI got in unrecoverable state during "runtime" phase. Technical details: y.server_config is undefined freeipa/ipa/</y.update_password_expiration@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187 start_runtime@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296 register_phases/<@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253 _run_phase/<@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476 forEach@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752 _run_phase@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440 next_phase@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899 _run_phase/<@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626 c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246 _run_phase@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548 next_phase@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899 _run_phase/<@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626 c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246 _run_phase@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548 next_phase@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899 _run_phase/<@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626 c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886 d/this.resolve@ https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873 dojo/promise/all/</</</<@ https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255 c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886 d/this.resolve@ https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873 register_phases/</<@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092 on_success@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471 freeipa/rpc/</a.concurrent_command/t.on_success_all@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200 freeipa/rpc/</a.concurrent_command/t.command_completed@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993 freeipa/rpc/</a.concurrent_command/t.success_handler@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830 freeipa/rpc/</a.concurrent_command/t.execute/n.on_success</<@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380 freeipa/rpc/</a.command/l.register_handlers/<@ https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826 f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586 dojo/on/</i.emit@ https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192 dojo/on/</i.emit@ https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808 emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712 c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469 l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877 fireWith@ https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702 k@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:5346 t/<@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:9152
On Tue, Oct 23, 2018 at 4:07 PM Rob Crittenden rcritten@redhat.com wrote:
Ralph Crongeyer via FreeIPA-users wrote:
Can this be manually removed? W currently can't login to the web portal due to this issue.
I don't understand how one master is affecting the web server of another. By design they are independent. Can you provide details on how login is failing?
rob
On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer <rcrongeyer@gmail.com mailto:rcrongeyer@gmail.com> wrote:
The goal is to remove the replica server from the master. No split brain. I need to remove this as we can't login to the portal because of this. On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com>> wrote: Ralph Crongeyer via FreeIPA-users wrote: > Hi List, > I have a master server that had a replica installed. The replica has > been uninstalled. When I try to run "ipa-replica-manage del --force > replica.server" it fails with: > invalid 'PKINIT enabled server': all masters must have IPA master role > enabled > > How can I delete this replica? What is your ultimate goal here? In your previous post it sounded like you are trying to create a split-brain. IPA doesn't like those and does what it can to prevent them. rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Ralph Crongeyer via FreeIPA-users wrote:
So it does allow me to login, however there is a popup that says: "Some operations failed.", and a link "View details", when I click on that it shows: "invalid 'PKINIT enabled server': all masters must have IPA master role" And there is a button that says "OK", when I click on that it shows this:
Ok. Start by running:
$ kinit admin $ ipa domainlevel-get
If it is 1 you can try
$ ipa server-del --ignore-topology-disconnect --ignore-last-of-role --force replica.server
rob
Runtime error
Web UI got in unrecoverable state during "runtime" phase.
Technical details:y.server_config is undefined freeipa/ipa/</y.update_password_expiration@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187 start_runtime@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296 register_phases/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253 _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476 forEach@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752 _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440 next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899 _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626 c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246 _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548 next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899 _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626 c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246 _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548 next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899 _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626 c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886 d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873 dojo/promise/all/</</</<@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255 c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886 d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873 register_phases/</<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092 on_success@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471 freeipa/rpc/</a.concurrent_command/t.on_success_all@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200 freeipa/rpc/</a.concurrent_command/t.command_completed@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993 freeipa/rpc/</a.concurrent_command/t.success_handler@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830 freeipa/rpc/</a.concurrent_command/t.execute/n.on_success</<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380 freeipa/rpc/</a.command/l.register_handlers/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826 f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586 dojo/on/</i.emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192 dojo/on/</i.emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808 emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712 c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469 l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877 fireWith@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702 k@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:5346 t/<@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:9152
On Tue, Oct 23, 2018 at 4:07 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Ralph Crongeyer via FreeIPA-users wrote: > Can this be manually removed? W currently can't login to the web portal > due to this issue. I don't understand how one master is affecting the web server of another. By design they are independent. Can you provide details on how login is failing? rob > > On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer <rcrongeyer@gmail.com <mailto:rcrongeyer@gmail.com> > <mailto:rcrongeyer@gmail.com <mailto:rcrongeyer@gmail.com>>> wrote: > > The goal is to remove the replica server from the master. No split > brain. I need to remove this as we can't login to the portal because > of this. > > > On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Ralph Crongeyer via FreeIPA-users wrote: > > Hi List, > > I have a master server that had a replica installed. The > replica has > > been uninstalled. When I try to run "ipa-replica-manage del > --force > > replica.server" it fails with: > > invalid 'PKINIT enabled server': all masters must have IPA > master role > > enabled > > > > How can I delete this replica? > > What is your ultimate goal here? In your previous post it > sounded like > you are trying to create a split-brain. IPA doesn't like those > and does > what it can to prevent them. > > rob > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Well I got it fixed by using ApacheDirectoryStudio and searching for the old stuck replica and deleted all of it's entries, which fixed the issues, I wish I would have gotten this email sooner, I would have tried what you suggested.
Thanks for your help with this.
Ralph
On Wed, Oct 24, 2018 at 5:43 PM Rob Crittenden rcritten@redhat.com wrote:
Ralph Crongeyer via FreeIPA-users wrote:
So it does allow me to login, however there is a popup that says: "Some operations failed.", and a link "View details", when I click on that it shows: "invalid 'PKINIT enabled server': all masters must have IPA master
role"
And there is a button that says "OK", when I click on that it shows this:
Ok. Start by running:
$ kinit admin $ ipa domainlevel-get
If it is 1 you can try
$ ipa server-del --ignore-topology-disconnect --ignore-last-of-role --force replica.server
rob
Runtime error
Web UI got in unrecoverable state during "runtime" phase.
Technical details:y.server_config is undefined freeipa/ipa/</y.update_password_expiration@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187
start_runtime@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296
register_phases/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476
forEach@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752
_run_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440
next_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 d/t.then@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
_run_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
next_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 d/t.then@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246
_run_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548
next_phase@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899
_run_phase/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886 d/this.resolve@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
dojo/promise/all/</</</<@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255
c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886 d/this.resolve@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873
register_phases/</<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092
on_success@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471
freeipa/rpc/</a.concurrent_command/t.on_success_all@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200
freeipa/rpc/</a.concurrent_command/t.command_completed@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993
freeipa/rpc/</a.concurrent_command/t.success_handler@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830
freeipa/rpc/</a.concurrent_command/t.execute/n.on_success</<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380
freeipa/rpc/</a.command/l.register_handlers/<@
https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826
f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586 dojo/on/</i.emit@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192
dojo/on/</i.emit@
https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808
emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712 c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469 l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877 fireWith@
https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702
k@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:5346 t/<@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:9152
On Tue, Oct 23, 2018 at 4:07 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Ralph Crongeyer via FreeIPA-users wrote: > Can this be manually removed? W currently can't login to the web portal > due to this issue. I don't understand how one master is affecting the web server of another. By design they are independent. Can you provide details onhow
login is failing? rob > > On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer <rcrongeyer@gmail.com <mailto:rcrongeyer@gmail.com> > <mailto:rcrongeyer@gmail.com <mailto:rcrongeyer@gmail.com>>>wrote:
> > The goal is to remove the replica server from the master. Nosplit
> brain. I need to remove this as we can't login to the portal because > of this. > > > On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>wrote:
> > Ralph Crongeyer via FreeIPA-users wrote: > > Hi List, > > I have a master server that had a replica installed. The > replica has > > been uninstalled. When I try to run "ipa-replica-managedel
> --force > > replica.server" it fails with: > > invalid 'PKINIT enabled server': all masters must haveIPA
> master role > > enabled > > > > How can I delete this replica? > > What is your ultimate goal here? In your previous post it > sounded like > you are trying to create a split-brain. IPA doesn't likethose
> and does > what it can to prevent them. > > rob > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Ralph Crongeyer wrote:
Well I got it fixed by using ApacheDirectoryStudio and searching for the old stuck replica and deleted all of it's entries, which fixed the issues, I wish I would have gotten this email sooner, I would have tried what you suggested.
Thanks for your help with this.
Sure, sorry it took so long.
You may want to run: ipa-replica-manage del replica.server --force --cleanup
Just to ensure you got everything.
rob
Ralph
On Wed, Oct 24, 2018 at 5:43 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Ralph Crongeyer via FreeIPA-users wrote: > So it does allow me to login, however there is a popup that says: > "Some operations failed.", and a link "View details", when I click on > that it shows: > "invalid 'PKINIT enabled server': all masters must have IPA master role" > And there is a button that says "OK", when I click on that it shows this: Ok. Start by running: $ kinit admin $ ipa domainlevel-get If it is 1 you can try $ ipa server-del --ignore-topology-disconnect --ignore-last-of-role --force replica.server rob > > > Runtime error > > Web UI got in unrecoverable state during "runtime" phase. > > > Technical details: > > y.server_config is undefined > freeipa/ipa/</y.update_password_expiration@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:37187 > start_runtime@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:17296 > register_phases/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1253 > _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3476 > forEach@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:29752 > _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3440 > next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899 > _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626 > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 > d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246 > _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548 > next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899 > _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626 > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 > d/t.then@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:62246 > _run_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3548 > next_phase@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3899 > _run_phase/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:3626 > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 > l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886 > d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873 > dojo/promise/all/</</</<@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:85255 > c@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60960 > l@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:60886 > d/this.resolve@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:61873 > register_phases/</<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:1092 > on_success@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:34471 > freeipa/rpc/</a.concurrent_command/t.on_success_all@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:57200 > freeipa/rpc/</a.concurrent_command/t.command_completed@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56993 > freeipa/rpc/</a.concurrent_command/t.success_handler@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56830 > freeipa/rpc/</a.concurrent_command/t.execute/n.on_success</<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:56380 > freeipa/rpc/</a.command/l.register_handlers/<@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:53826 > f@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:49586 > dojo/on/</i.emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45192 > dojo/on/</i.emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:45808 > emit@https://ipaca-01.example.com/ipa/ui/js/dojo/dojo.js?v=40504:1:48712 > c@https://ipaca-01.example.com/ipa/ui/js/freeipa/app.js?40504:1:52469 > l@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:24877 > fireWith@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:4:25702 > k@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:5346 > t/<@https://ipaca-01.example.com/ipa/ui/js/libs/jquery.js?v=40504:6:9152 > > On Tue, Oct 23, 2018 at 4:07 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Ralph Crongeyer via FreeIPA-users wrote: > > Can this be manually removed? W currently can't login to the web > portal > > due to this issue. > > I don't understand how one master is affecting the web server of > another. By design they are independent. Can you provide details on how > login is failing? > > rob > > > > > On Fri, Oct 19, 2018 at 8:42 AM Ralph Crongeyer > <rcrongeyer@gmail.com <mailto:rcrongeyer@gmail.com> <mailto:rcrongeyer@gmail.com <mailto:rcrongeyer@gmail.com>> > > <mailto:rcrongeyer@gmail.com <mailto:rcrongeyer@gmail.com> <mailto:rcrongeyer@gmail.com <mailto:rcrongeyer@gmail.com>>>> wrote: > > > > The goal is to remove the replica server from the master. No split > > brain. I need to remove this as we can't login to the portal > because > > of this. > > > > > > On Thu, Oct 18, 2018 at 5:23 PM Rob Crittenden > <rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>> > > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>> wrote: > > > > Ralph Crongeyer via FreeIPA-users wrote: > > > Hi List, > > > I have a master server that had a replica installed. The > > replica has > > > been uninstalled. When I try to run "ipa-replica-manage del > > --force > > > replica.server" it fails with: > > > invalid 'PKINIT enabled server': all masters must have IPA > > master role > > > enabled > > > > > > How can I delete this replica? > > > > What is your ultimate goal here? In your previous post it > > sounded like > > you are trying to create a split-brain. IPA doesn't like those > > and does > > what it can to prevent them. > > > > rob > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > <mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> > > To unsubscribe send an email to > freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > <mailto:freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org>> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
Oddly, I am having the same problem not too many days later, so I thought I would just reply here. I was in the middle of bringing up a new replica when the hardware panicked or something. Last messages to console: ``` Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/9]: stopping directory server [2/9]: saving configuration [3/9]: disabling listeners [4/9]: enabling DS global lock [5/9]: starting directory server [6/9]: upgrading server ```
I've tried everything in the thread, starting with the link Mark Reynolds sent above. I found the current replication and did the `cleanruv` path (not the `all` variant) for the open transaction, then checked it on the other master. Still getting the `invalid 'PKINIT enabled server': all masters must have IPA master role enabled` message.
Also tried the `ipa-replica-manage del replica.server --force` and `ipa server-del --ignore-topology-disconnect --ignore-last-of-role --force replica.server` command and got the same error message for both commands.
Any ideas of what I might additionally try?
Thanks for your help!
Oh, forgot to mention, current domain level is `1`...
Hate _hate_ to open old threads, but...
I'm also seeing this. I've been trying to add another replica to our topology (this would be on a different subnet than the current pair); the ipa-replica-install command has been failing for various reasons that I've been fixing or circumventing and I've just been re-spinning the new server between each attempt to keep the environment clean. The latest death was apparently because of an issue with /etc/openldap/ldap.conf which I was debugging and was about to remove the server from IPA and reset it.
However, I'm not able to do so. All attempts are met with "ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled" - in fact, even poking around trying to do an ipa config-show (on either of the current masters) just generates that error. I've also tried uninstalling the replica and client on the new host, and it seems to have completed successfully, but I can't re-enroll it either, so it's "dead to the other masters", except...
There is nothing I want to do at this point other than another iteration on my problem adding another replica. There's no data on replica, nothing is relying on it, and I've tried as hard as possible to make the installation entirely vanilla. I haven't manually enabled PKINIT; ipa-pkinit-manage status on the current masters says it's enabled. As for the server roles, server-role-find shows the two current servers and the new one; the latter's "role status" for CA Server is "absent". I've had issues before where I've had to enumerate the RUVs and remove them (done that). Just want the references to this to go away, so that I can keep working towards the most minimal and concise installation.
Any ideas on where I can go to get out of this situation? Many thanks!
(Everything completely updated to *4.6.4-10.el7.centos, initial installation was about one year ago, domain level 1; tried all the ipa server del and ipa-replica-manage del suggestions which aren't working for me this time, no AD integration...)
On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Oh, forgot to mention, current domain level is `1`... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I'm going to reply to myself, after several more hours of digging, I discovered that although it wasn't true at the time I posted the above question, eventually, as with the original post from Lachlan Musicman https://lists.fedorahosted.org/archives/users/46343247263810572257541459042951629750/, the WebUI died, and that meant no self-service for the rest of the team. And that made it into an emergency.
So, I fired up my LDAP editor (I've been using JXWorkBench) and went to eradicate all the traces of the failed replica. Which fixed the issue; and I'm fairly sure there aren't any lingering effects. I think.
But this was the first time I've used the editor to actual effect any changes to things; and I'm going to post the underlying question that raised in a new thread...
This seems to have bitten at least a few of us; I'd be happy to know how to file a bug if there's a useful contribution there. Thanks!
On Sat, Jan 5, 2019 at 4:47 PM K. M. Peterson kmp.lists@gmail.com wrote:
Hate _hate_ to open old threads, but...
I'm also seeing this. I've been trying to add another replica to our topology (this would be on a different subnet than the current pair); the ipa-replica-install command has been failing for various reasons that I've been fixing or circumventing and I've just been re-spinning the new server between each attempt to keep the environment clean. The latest death was apparently because of an issue with /etc/openldap/ldap.conf which I was debugging and was about to remove the server from IPA and reset it.
However, I'm not able to do so. All attempts are met with "ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled" - in fact, even poking around trying to do an ipa config-show (on either of the current masters) just generates that error. I've also tried uninstalling the replica and client on the new host, and it seems to have completed successfully, but I can't re-enroll it either, so it's "dead to the other masters", except...
There is nothing I want to do at this point other than another iteration on my problem adding another replica. There's no data on replica, nothing is relying on it, and I've tried as hard as possible to make the installation entirely vanilla. I haven't manually enabled PKINIT; ipa-pkinit-manage status on the current masters says it's enabled. As for the server roles, server-role-find shows the two current servers and the new one; the latter's "role status" for CA Server is "absent". I've had issues before where I've had to enumerate the RUVs and remove them (done that). Just want the references to this to go away, so that I can keep working towards the most minimal and concise installation.
Any ideas on where I can go to get out of this situation? Many thanks!
(Everything completely updated to *4.6.4-10.el7.centos, initial installation was about one year ago, domain level 1; tried all the ipa server del and ipa-replica-manage del suggestions which aren't working for me this time, no AD integration...)
On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Oh, forgot to mention, current domain level is `1`... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
K. M. Peterson via FreeIPA-users wrote:
I'm going to reply to myself, after several more hours of digging, I discovered that although it wasn't true at the time I posted the above question, eventually, as with the original post from Lachlan Musicman https://lists.fedorahosted.org/archives/users/46343247263810572257541459042951629750/, the WebUI died, and that meant no self-service for the rest of the team. And that made it into an emergency.
So, I fired up my LDAP editor (I've been using JXWorkBench) and went to eradicate all the traces of the failed replica. Which fixed the issue; and I'm fairly sure there aren't any lingering effects. I think.
But this was the first time I've used the editor to actual effect any changes to things; and I'm going to post the underlying question that raised in a new thread...
This seems to have bitten at least a few of us; I'd be happy to know how to file a bug if there's a useful contribution there. Thanks!
You didn't happen to keep a list of the entries/values you removed did you?
rob
On Sat, Jan 5, 2019 at 4:47 PM K. M. Peterson <kmp.lists@gmail.com mailto:kmp.lists@gmail.com> wrote:
Hate _hate_ to open old threads, but... I'm also seeing this. I've been trying to add another replica to our topology (this would be on a different subnet than the current pair); the ipa-replica-install command has been failing for various reasons that I've been fixing or circumventing and I've just been re-spinning the new server between each attempt to keep the environment clean. The latest death was apparently because of an issue with /etc/openldap/ldap.conf which I was debugging and was about to remove the server from IPA and reset it. However, I'm not able to do so. All attempts are met with "ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled" - in fact, even poking around trying to do an ipa config-show (on either of the current masters) just generates that error. I've also tried uninstalling the replica and client on the new host, and it seems to have completed successfully, but I can't re-enroll it either, so it's "dead to the other masters", except... There is nothing I want to do at this point other than another iteration on my problem adding another replica. There's no data on replica, nothing is relying on it, and I've tried as hard as possible to make the installation entirely vanilla. I haven't manually enabled PKINIT; ipa-pkinit-manage status on the current masters says it's enabled. As for the server roles, server-role-find shows the two current servers and the new one; the latter's "role status" for CA Server is "absent". I've had issues before where I've had to enumerate the RUVs and remove them (done that). Just want the references to this to go away, so that I can keep working towards the most minimal and concise installation. Any ideas on where I can go to get out of this situation? Many thanks! (Everything completely updated to *4.6.4-10.el7.centos, initial installation was about one year ago, domain level 1; tried all the ipa server del and ipa-replica-manage del suggestions which aren't working for me this time, no AD integration...) On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Oh, forgot to mention, current domain level is `1`... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Jan 8, 2019, at 3:12 PM, Rob Crittenden rcritten@redhat.com wrote:
You didn't happen to keep a list of the entries/values you removed did you?
rob
In my experience, there were dozens of them and I gave up before the thing finally recovered. Since others were successful, I’m sure it was possible, but it wasn’t clear if there was a certain entry that was responsible or it was because I overlooked a single one.
I located every entry in LDAP that referenced the failed server and removed each of them. I know that the entries in the etc ipa masters hierarchies wouldn't go until I'd removed several of the others, which know included the custodia entries. I think there weren't any topology entries by that point.
Sorry not to be more helpful...
On Tue, Jan 8, 2019 at 5:12 PM Rob Crittenden rcritten@redhat.com wrote:
K. M. Peterson via FreeIPA-users wrote:
I'm going to reply to myself, after several more hours of digging, I discovered that although it wasn't true at the time I posted the above question, eventually, as with the original post from Lachlan Musicman <
https://lists.fedorahosted.org/archives/users/463432472638105722575414590429...
, the WebUI died, and that meant no self-service for the rest of the team. And that made it into an emergency.
So, I fired up my LDAP editor (I've been using JXWorkBench) and went to eradicate all the traces of the failed replica. Which fixed the issue; and I'm fairly sure there aren't any lingering effects. I think.
But this was the first time I've used the editor to actual effect any changes to things; and I'm going to post the underlying question that raised in a new thread...
This seems to have bitten at least a few of us; I'd be happy to know how to file a bug if there's a useful contribution there. Thanks!
You didn't happen to keep a list of the entries/values you removed did you?
rob
On Sat, Jan 5, 2019 at 4:47 PM K. M. Peterson <kmp.lists@gmail.com mailto:kmp.lists@gmail.com> wrote:
Hate _hate_ to open old threads, but... I'm also seeing this. I've been trying to add another replica to our topology (this would be on a different subnet than the current pair); the ipa-replica-install command has been failing for various reasons that I've been fixing or circumventing and I've just been re-spinning the new server between each attempt to keep the environment clean. The latest death was apparently because of an issue with /etc/openldap/ldap.conf which I was debugging and was about to remove the server from IPA and reset it. However, I'm not able to do so. All attempts are met with "ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled" - in fact, even poking around trying to do an ipa config-show (on either of the current masters) just generates that error. I've also tried uninstalling the replica and client on the new host, and it seems to have completed successfully, but I can't re-enroll it either, so it's "dead to the other masters", except...There is nothing I want to do at this point other than another iteration on my problem adding another replica. There's no data on replica, nothing is relying on it, and I've tried as hard as possible to make the installation entirely vanilla. I haven't manually enabled PKINIT; ipa-pkinit-manage status on the current masters says it's enabled. As for the server roles, server-role-find shows the two current servers and the new one; the latter's "role status" for CA Server is "absent". I've had issues before where I've had to enumerate the RUVs and remove them (done that). Just want the references to this to go away, so that I can keep working towards the most minimal and concise installation. Any ideas on where I can go to get out of this situation? Manythanks!
(Everything completely updated to *4.6.4-10.el7.centos, initial installation was about one year ago, domain level 1; tried all the ipa server del and ipa-replica-manage del suggestions which aren't working for me this time, no AD integration...) On Tue, Nov 20, 2018 at 1:48 AM Brian Topping via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: Oh, forgot to mention, current domain level is `1`... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Fedora Code of Conduct:https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I just bumped into this as well. I think I've tried every permutation of commands+options, but I'm getting the "invalid 'PKINIT enabled server': all masters must have IPA master role enabled" message as well when running "ipa-replica-manage del --force -c <REDACTED>". Any ideas on how to resolve this?
Also, I think one of the replicas got interrupted during the installation. I see this:
ipa server-find --all
... Managed suffixes: domain Min domain level: 0 Max domain level: 1 Enabled server roles: NTP server ...
Hi,
I have the same issue right now... I had two working replicas, and I tried to add the third one. But due to some issues with ansible playbook, the installation of that third replica failed in the middle (I believe ansible lost SSH connection somewhere in the middle). That obviously left the new replica in kinda undefined state, which is not my issue. My issue is that it affected WebUI of both other two replicas.
Exactly as the others report, I can no longer login to the WebUI. It says "invalid 'PKINIT enabled server': all masters must have IPA master role enabled" and then throws an exception:
TypeError: Cannot read property 'ipapwdexpadvnotify' of undefined at Object.y.update_password_expiration (https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1...) at Object.start_runtime (https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1...) at Object.<anonymous> (https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1...) at https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1... at Object.forEach (https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/dojo/dojo.js?v=40604:1...) at Object._run_phase (https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1...) at Object.next_phase (https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1...) at Object.<anonymous> (https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/freeipa/app.js?40604:1...) at c (https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/dojo/dojo.js?v=40604:1...) at e.extend.then.then.t.then (https://rhel-ipa-replica.ams.ims.telekom.de/ipa/ui/js/dojo/dojo.js?v=40604:1...)
All the commands offered in this thread give me the same error so far: "invalid 'PKINIT enabled server': all masters must have IPA master role enabled"
Fortunately, it seems that the domain services keep working fine, users can login etc. But WebUI is dead, and the failed replica is stuck in the list of ipa-replica-manage...
Sounds like a bug...?
--- Regards, Dmitry Perets
Exactly as the others report, I can no longer login to the WebUI. It says "invalid 'PKINIT enabled server': all masters must have IPA master role enabled" and then throws an exception:
UPDATE: To resolve it, you can delete the following subtree entirely:
DN: cn=<fqdn-of-your-stuck-replica>,cn=masters,cn=ipa,cn=etc,dc=ims,dc=telekom,dc=de
I think it should be marked as an issue... failed replica shouldn't affect WebUI of other masters...
Dmitry Perets via FreeIPA-users wrote:
Exactly as the others report, I can no longer login to the WebUI. It says "invalid 'PKINIT enabled server': all masters must have IPA master role enabled" and then throws an exception:
UPDATE: To resolve it, you can delete the following subtree entirely:
DN: cn=<fqdn-of-your-stuck-replica>,cn=masters,cn=ipa,cn=etc,dc=ims,dc=telekom,dc=de
I think it should be marked as an issue... failed replica shouldn't affect WebUI of other masters...
ipa-replica-manage del <master> --cleanup --force will clean these entries up, and others.
rob
On Mon, Mar 18, 2019 at 4:53 PM Rob Crittenden rcritten@redhat.com wrote:
ipa-replica-manage del <master> --cleanup --force will clean these entries up, and others.
rob
Rob,
I tried this. It didn't work. The command itself failed with the same error message: PKINIT enabled server': all masters must have IPA master role enabled
freeipa-users@lists.fedorahosted.org
-
Brian Topping -
Dmitry Perets -
K. M. Peterson -
Mark Reynolds -
Paul Calabro -
Ralph Crongeyer -
Rob Crittenden