Many cases for service users the matching group was created by either error
or mistake.
Where those service users are mostly under some group collecting them, also
assigned
as GID.
So the leftovers were detached and deleted, so there is less confusion.
So far there were no issues like this.
--
*Sándor Juhász*
System Administrator
*ChemAxon* *Kft*.
Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
Cell: +36704258964


On Wed, Aug 7, 2019 at 4:10 PM Rob Crittenden <rcrit...@redhat.com> wrote:

> Sandor Juhasz wrote:
> > Was detached and deleted prior to the user's deletion.
> > First modified by
> > dn: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
> > changetype: modify
> > delete: objectclass
> > objectclass: mepManagedEntry
> > -
> > delete: mepManagedBy
> >
> > Then deleted.
>
> I don't know if this is the issue or not but the user still shows:
>
> objectClass: mepOriginEntry
> mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
>
> What led you to manually disconnect the group?
>
> rob
>
> > --
> > *Sándor Juhász*
> > System Administrator
> > *ChemAxon* *Kft*.
> > Building Hx, GraphiSoft Park, Záhony utca 7, Budapest, Hungary, H-1031
> > Cell: +36704258964
> >
> >
> > On Wed, Aug 7, 2019 at 3:58 PM Rob Crittenden <rcrit...@redhat.com
> > <mailto:rcrit...@redhat.com>> wrote:
> >
> >     Sandor Juhasz via FreeIPA-users wrote:
> >     > We have an entry, what after clicking delete on the UI got
> partially
> >     > deleted.
> >     > The compat tree entry is gone.
> >     > The accounts tree entry is there.
> >     > ldapsearch finds the entry by uid, but does fail by dn.
> >     > ipa user-show <USERID> finds the user
> >     > ipa user-del <USERID> says no such user
> >     > ldapdelete fails to delete the entry by dn with err=32
> >     > Web ui shows user
> >     > User content can be modified from ipa cli and web ui - like name,
> >     shell,
> >     > but cannot be deleted
> >     > Other entries can be created and deleted without issue.
> >     > We have 4way master-master replication. Tried cli on 3 and got same
> >     > result and issue.
> >     > The third is not touched and the entry is available there both
> >     accounts
> >     > and compat tree.
> >     >
> >     >
> >     > ipa-server-4.6.4-10.el7.centos.3.x86_64
> >     > CentOS Linux release 7.6.1810 (Core)
> >     >
> >     > On full broken master:
> >     > # <USERID>, users, accounts, cxn
> >     > dn: uid=<USERID>,cn=users,cn=accounts,dc=cxn
> >     > gecos: FOO BAR
> >     > displayName: FOO BAR
> >     > krbLastAdminUnlock: 20190807124134Z
> >     > krbLoginFailedCount: 0
> >     > memberOf: cn=ipausers,cn=groups,cn=accounts,dc=cxn
> >     > memberOf: cn=somegroup1,cn=groups,cn=accounts,dc=cxn
> >     > memberOf: cn=somegroupt2,cn=groups,cn=accounts,dc=cxn
> >     > gidNumber: <GID>
> >     > uidNumber: <UID>
> >     > ipaUniqueID: <RANDOMUNIQUEID>
> >     > cn: BAZ
> >     > givenName: FOO
> >     > krbPrincipalName: <USERID>@CXN
> >     > mail: <MAIL>
> >     > homeDirectory: /home/<USERID>
> >     > sn: BAR
> >     > initials: cU
> >     > loginShell: /bin/false
> >     > objectClass: ipaobject
> >     > objectClass: person
> >     > objectClass: top
> >     > objectClass: ipasshuser
> >     > objectClass: inetorgperson
> >     > objectClass: organizationalperson
> >     > objectClass: krbticketpolicyaux
> >     > objectClass: krbprincipalaux
> >     > objectClass: inetuser
> >     > objectClass: posixaccount
> >     > objectClass: ipaSshGroupOfPubKeys
> >     > objectClass: mepOriginEntry
> >     > krbCanonicalName: <USERID>@CXN
> >     > uid: <USERID>
> >     > mepManagedEntry: cn=<USERID>,cn=groups,cn=accounts,dc=cxn
> >     > krbPasswordExpiration: 20170615133527Z
> >     > krbLastPwdChange: 20170615133527Z
> >     > krbExtraData:: AAIfjUJZcm9vdC9hZG1pbkBDWE4A
> >
> >     Can you check to see if the group entry exists,
> >     cn=<USERID>,cn=groups,cn=accounts,dc=cxn via ldapsearch?
> >
> >     rob
> >
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to