When IPA replica is uninstalled, ipa-server-install --uninstall calls to ipa server-del $host. The latter will remove replica-related details, including its Kerberos principals, including ldap/$host principal.
ipa-server-install --uninstall
ipa server-del $host
ldap/$host
As result, replication of the removed entries to the replicas connected to $host will fail if there wasn't an active authenticated connection already as LDAP server on the $host will not be able to obtain own ticket-granting ticket and therefore request a ticket to a remote replica's Kerberos service.
$host
A possible solution is to split the task of removing the principals into two stages:
ipa server-del
This is an elegant solution. A comment regarding the deletion of the ldap/host by the topology plugin. This is an internal DEL operation, it would be preferable to not store the DEL into the replication changelog so that each replica receiving the host DEL will do its own cleanup.
If the DEL needs to be replicated, it will end with several DELs for the same ldap/host. It can lead to similar issue as https://pagure.io/389-ds-base/issue/49463. So there is a dependency on https://pagure.io/389-ds-base/issue/49466.
Metadata Update from @rcritten: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.6.4
master:
ipa-4-6:
Metadata Update from @tdudlak: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.