> -----Original Message----- > From: Ludwig Krispenz [mailto:lkris...@redhat.com] > Sent: Wednesday, April 29, 2015 9:22 AM > To: thierry bordaz > Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] deleting ipa user > > > On 04/29/2015 03:14 PM, thierry bordaz wrote: > > > On 04/29/2015 02:43 PM, Andy Thompson wrote: > > > -----Original Message----- > From: Martin Kosek [mailto:mko...@redhat.com] > Sent: Wednesday, April 29, 2015 8:31 AM > To: Andy Thompson; freeipa-users@redhat.com > <mailto:freeipa-users@redhat.com> ; Ludwig Krispenz; Thierry > Bordaz > Subject: Re: [Freeipa-users] deleting ipa user > > On 04/29/2015 01:26 PM, Andy Thompson wrote: > > I'm trying to delete an IPA account and I get a > generic "operations error" > > when trying to remove it. It looks like something is > messed up with the > group object. The user doesn't show up in the > ipausers group and there also > isn't a group object for the user in question. Here is > the error from the > attempt. > > [29/Apr/2015:07:21:32 -0400] referint-plugin - > _update_all_per_mod: > entry > cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting > "member: > uid=<username>,cn=users,cn=accounts,dc=domain,dc=com" > > failed > > (16) > [29/Apr/2015:07:21:32 -0400] referint-plugin - > _update_all_per_mod: > entry > ipaUniqueID=3897c894-e764-11e4-b05b- > > 005056a92af3,cn=hbac,dc=domain,dc= > > com: deleting "memberUser: > > uid=<username>,cn=users,cn=accounts,dc=domain,dc=com" failed > (16) > [29/Apr/2015:07:21:32 -0400] > ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=<username>,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: > 0x7fcc84226070, cache_state: 0x0, > refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - mep_del_post_op: > failed to delete managed entry > > (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > [29/Apr/2015:07:21:32 -0400] > ldbm_back_delete - conn=0 op=0 Turning a > tombstone into a tombstone! > "nsuniqueid=7e1a1f87-e82611e4-99f1b343- > > f0abc1a8,cn=<username>,cn=group > > s,cn=accounts,dc=domain,dc=com"; e: > 0x7fcc84226070, cache_state: 0x0, > refcnt: 1 > [29/Apr/2015:07:21:32 -0400] managed- > entries-plugin - mep_del_post_op: > failed to delete managed entry > > (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) - > error (1) > > This is the first time I see this error. CCing Ludwig or > Thierry to advise. > > Andy, please also include FreeIPA and 389-ds-base > packages versions so that > Thierry and Ludwig know what to look at. > > > Here you go > > ipa-server-4.1.0-18.el7_1.3.x86_64 > 389-ds-base-1.3.3.1-15.el7_1.x86_64 > > Thanks much > > -andy > > > > Hello, > > I wonder it is not a similar issue I hit > https://fedorahosted.org/389/ticket/48165. What differs is > '_update_all_per_mod' logs but could be a consequence of the same bug. > > > I think what differs taht in the ticket there is an attempt to delete an > existng > entry, but in the log snippet provided it attempts to delete a tombstone > entry (an entry which was already deleted). > So the errors logged by DS seem to be ok, but why does IPA want to delete > an already deleted user ? but mybe only the mep plugin finds a tombstone > and tries to delete it. > > What was the command executed, is the result the same if repeated ? > >
I attempted using the web interface initially and then tried using ipa user-del <username> to see if it gave any more detail. More info though, this is a replicated environment and I just tried deleting it on the replica server and it completed successfully so it appears I might have a replication issue going on? Hopefully I didn't mess something up doing that, should have checked the logs there first. I see this in the logs on the replica [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000): Operations error (1). Will retry later. -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
