On 04/29/2015 03:40 PM, Andy Thompson wrote:
-----Original Message-----
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 9:22 AM
To: thierry bordaz
Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user


On 04/29/2015 03:14 PM, thierry bordaz wrote:


        On 04/29/2015 02:43 PM, Andy Thompson wrote:


                        -----Original Message-----
                        From: Martin Kosek [mailto:mko...@redhat.com]
                        Sent: Wednesday, April 29, 2015 8:31 AM
                        To: Andy Thompson; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com> ; Ludwig Krispenz; Thierry
                        Bordaz
                        Subject: Re: [Freeipa-users] deleting ipa user

                        On 04/29/2015 01:26 PM, Andy Thompson wrote:

                                I'm trying to delete an IPA account and I get a
generic "operations error"

                        when trying to remove it.  It looks like something is
messed up with the
                        group object.  The user doesn't show up in the
ipausers group and there also
                        isn't a group object for the user in question.  Here is
the error from the
                        attempt.

                                [29/Apr/2015:07:21:32 -0400] referint-plugin -
_update_all_per_mod:
                                entry
cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting
                                "member:
uid=<username>,cn=users,cn=accounts,dc=domain,dc=com"

                        failed

                                (16)
                                [29/Apr/2015:07:21:32 -0400] referint-plugin -
_update_all_per_mod:
                                entry
                                ipaUniqueID=3897c894-e764-11e4-b05b-

                        005056a92af3,cn=hbac,dc=domain,dc=

                                com: deleting "memberUser:

        uid=<username>,cn=users,cn=accounts,dc=domain,dc=com" failed
(16)
                                [29/Apr/2015:07:21:32 -0400]
ldbm_back_delete - conn=0 op=0 Turning a
                                tombstone into a tombstone!
                                "nsuniqueid=7e1a1f87-e82611e4-99f1b343-

                        f0abc1a8,cn=<username>,cn=group

                                s,cn=accounts,dc=domain,dc=com"; e:
0x7fcc84226070, cache_state: 0x0,
                                refcnt: 1
                                [29/Apr/2015:07:21:32 -0400] managed-
entries-plugin - mep_del_post_op:
                                failed to delete managed entry

        (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
error (1)
                                [29/Apr/2015:07:21:32 -0400]
ldbm_back_delete - conn=0 op=0 Turning a
                                tombstone into a tombstone!
                                "nsuniqueid=7e1a1f87-e82611e4-99f1b343-

                        f0abc1a8,cn=<username>,cn=group

                                s,cn=accounts,dc=domain,dc=com"; e:
0x7fcc84226070, cache_state: 0x0,
                                refcnt: 1
                                [29/Apr/2015:07:21:32 -0400] managed-
entries-plugin - mep_del_post_op:
                                failed to delete managed entry

        (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
error (1)

                        This is the first time I see this error. CCing Ludwig or
Thierry to advise.

                        Andy, please also include FreeIPA and 389-ds-base
packages versions so that
                        Thierry and Ludwig know what to look at.


                Here you go

                ipa-server-4.1.0-18.el7_1.3.x86_64
                389-ds-base-1.3.3.1-15.el7_1.x86_64

                Thanks much

                -andy



        Hello,

        I wonder it is not a similar issue I hit
https://fedorahosted.org/389/ticket/48165. What differs is
'_update_all_per_mod' logs but could be a consequence of the same bug.


I think what differs taht in the ticket there is an attempt to delete an existng
entry, but in the log snippet provided it attempts to delete a tombstone
entry (an entry which was already deleted).
So the errors logged by DS seem to be ok, but why does IPA want to delete
an already deleted user ? but mybe only the mep plugin finds a tombstone
and tries to delete it.

What was the command executed, is the result the same if repeated ?


I attempted using the web interface initially
  and then tried using ipa user-del <username> to see if it gave any more 
detail.
were both attempts at 2015:07:21:32 ? or do you have more errors in the error log ?

More info though, this is a replicated environment and  I just tried deleting 
it on the replica server and it completed successfully so it appears I might 
have a replication issue going on?  Hopefully I didn't mess something up doing 
that, should have checked the logs there first.
well, if you cannot delete on one server, but do it on the other this looks like servers were not consistent before
I see this in the logs on the replica

[29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin - 
agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer failed to 
replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8, CSN 5540deb8000300030000): 
Operations error (1). Will retry later.
now the replica tries to replicate the delete and has the same failures as your direct delete. Do you have other replicas ? Is the delete replicated to other replicas ?

-andy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to