With the introduction of replica promotion functionality, the workflow of setting up IPA replicas what dramatically changed. Unfortunately the uninstallation of the promoted replica would use some usability improvements.
Running {{{ipa-server-install --uninstall -U}}} leaves the system in somewhat inconsistent state. IPA client should be removed in the second step of uninstallation procedure.
[root@replica1 ~]# ipa-server-install --uninstall -U Replication agreements with the following IPA masters found: master1.ipa.test. Removing any replication agreements before uninstalling the server is strongly recommended. You can remove replication agreements by running the following command on any other IPA master: $ ipa-replica-manage del replica1.ipa.test Shutting down all IPA services Removing IPA client configuration Unconfiguring ntpd Configuring certmonger to stop tracking system certificates for KRA Configuring certmonger to stop tracking system certificates for CA Unconfiguring web server Unconfiguring krb5kdc Unconfiguring kadmin Unconfiguring directory server Unconfiguring ipa-custodia Unconfiguring ipa_memcached Unconfiguring ipa-otpd
Indeed re-trying replica installation warns us about this:
[root@replica1 ~]# ipa-replica-install ipa.ipapython.install.cli.install_tool(Replica): ERROR IPA client is not configured on this system. You must use a replica file or join the system using 'ipa-client-install'. ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
However, there is some leftover configuration backed-up during replica installation and it is not possible to re-install client right off the bat:
[root@replica1 ~]# ipa-client-install IPA client is already configured on this system. If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
We must run client uninstallation once again (with plenty of errors/warnings, since much of the configuration was removed in previous steps).
[root@replica1 ~]# ipa-client-install --uninstall -U Failed to list certificates in /etc/ipa/nssdb: Command ''/usr/bin/certutil' '-d' '/etc/ipa/nssdb' '-L'' returned non-zero exit status 255 Unenrolling client from IPA server Unenrolling host failed: Error obtaining initial credentials: Key table entry not found. Removing Kerberos service principals from /etc/krb5.keytab Failed to remove Kerberos service principals: Command ''/usr/sbin/ipa-rmkeytab' '-k' '/etc/krb5.keytab' '-r' 'IPA.TEST'' returned non-zero exit status 5 Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted nscd daemon is not installed, skip configuration nslcd daemon is not installed, skip configuration Client uninstall complete.
This whole procedure may seem logical from developer's POV but is counter-intuitive to the users. We should either improve the uninstallation code to handle this in a more robust way or provide a better documentation of this behavior.
Starting review
master:
Metadata Update from @mbabinsk: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.3
Login to comment on this ticket.