Hi all, I've run into an issue with RetroCL (I think) on our IPA server. This is the sole master, there is no replication:
# ipa-replica-manage list <ipa-hostname>: master The problem appeared during an attempted group rename, but every subsequent attempt to change results in the same error: [27/Jan/2020:11:29:49.590558266 +0000] - ERR - managed-entries-plugin - mep_rename_managed_entry - Unable to rename managed entry "cn=matstudio2016,cn=groups,cn=accounts,<domain>" to "cn=matstudio,cn=groups,cn=accounts,<domain>" (Already exists). [27/Jan/2020:11:29:49.897693314 +0000] - ERR - ldbm_back_modrdn - SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN plugin returned error but did not set SLAPI_RESULT_CODE [27/Jan/2020:13:23:16.986652546 +0000] - ERR - DSRetroclPlugin - write_replog_db - An error occured while adding change number 264303, dn = changenumber=264303,cn=changelog: Already exists. [27/Jan/2020:13:23:16.989427768 +0000] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68] [27/Jan/2020:13:23:16.993607315 +0000] - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add managed entry "cn=materialsstudio,cn=groups,cn=accounts,<domain>" for origin entry "uid=materialsstudio,cn=users,cn=accounts,<domain>" (Already exists). [27/Jan/2020:13:23:16.998637893 +0000] - ERR - DSRetroclPlugin - write_replog_db - An error occured while adding change number 264303, dn = changenumber=264303,cn=changelog: Already exists. [27/Jan/2020:13:23:17.001620504 +0000] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68] [27/Jan/2020:13:23:17.005510536 +0000] - ERR - managed-entries-plugin - mep_add_managed_entry - Unable to add managed entry "cn=materialsstudio,cn=groups,cn=accounts,<domain>" for origin entry "uid=materialsstudio,cn=users,cn=accounts,<domain>" (Already exists). [27/Jan/2020:13:23:55.016578895 +0000] - ERR - DSRetroclPlugin - write_replog_db - An error occured while adding change number 264302, dn = changenumber=264302,cn=changelog: Already exists. [27/Jan/2020:13:23:55.020029522 +0000] - ERR - DSRetroclPlugin - retrocl_postob - Operation failure [68] I note that the changenumber decreased by 1 as well. Unfortunately the access log has rotated several times since the change, so I can't extract anything from there. My colleague did have a record of the commands that were run: # ipa user-mod --rename=matstudio matstudio2016 # ipa user-mod --rename=matstudio2016 matstudio # ipa user-mod --rename=matstudio matstudio2016 There is no group-mod command, so I assume that the group rename attempt was ipa trying to rename the private group matstudio2016 to matstudio, which already existed: # ipa group-show matstudio2016 Group name: matstudio2016 Description: User private group for matstudio2016 GID: 99999 # ipa group-show matstudio Group name: matstudio Description: blanked GID: 11008 Member users: blanked I've tried to delete the groups, both via ipa and ldapmodify (tried to remove the mepManagedEntry objectclass and mepManagedBy attribute), but always encounter the changelog error. Alas there is no backup prior to this change from which to restore, so I am trying to fix things online. Thankfully authorisation and authentication is still working for now, but we can't add users, modify groups, etc. Incidentally, ipa user-show --all --raw returns nothing for either uid, but ldapsearch does. The old user (matstudio2016) and group (matstudio) were migrated at least once from the ipa database of older clusters, possibly twice. I've pulled out the pertinent entries from each record: # ldapsearch -Y GSSAPI uid=matstudio2016 # matstudio, users, accounts, <domain> dn: uid=matstudio,cn=users,cn=accounts,<domain> displayName: MatStudioAccount MatStudioAccount cn: MatStudioAccount MatStudioAccount krbCanonicalName: matstudio@<domain> uidNumber: 99999 gidNumber: 11008 krbPrincipalName: matstudio@<domain> givenName: MatStudioAccount homeDirectory: <path-to>/matstudio ipaUniqueID: 6e8f1900-b044-11e8-be99-00a1dafce440 mepManagedEntry: cn=matstudio2016,cn=groups,cn=accounts,<domain> memberOf: ipaUniqueID=b7b3447a-b02c-11e8-9fe1-00a1dafce440,cn=hbac,<domain> uid: matstudio # ldapsearch -Y GSSAPI uid=matstudio # matstudio, users, compat, <domain> dn: uid=matstudio,cn=users,cn=compat,<domain> objectClass: posixAccount objectClass: ipaOverrideTarget objectClass: top gecos: MatStudioAccount MatStudioAccount cn: MatStudioAccount MatStudioAccount uidNumber: 99999 gidNumber: 11008 loginShell: /bin/bash homeDirectory: <path-to>/matstudio ipaAnchorUUID:: OklQQTpwcmkuY3NmMy5hbGNlcy5uZXR3b3JrOjZlOGYxOTAwLWIwNDQtMTFlOC 1iZTk5LTAwYTFkYWZjZTQ0MA== uid: matstudio I'm scratching my head here; any suggestions will be most gratefully received! Thanks, Mark _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
