> -----Original Message-----
> From: Ludwig Krispenz [mailto:lkris...@redhat.com]
> Sent: Wednesday, April 29, 2015 10:07 AM
> To: Andy Thompson
> Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] deleting ipa user
> 
> 
> On 04/29/2015 03:40 PM, Andy Thompson wrote:
> >> -----Original Message-----
> >> From: Ludwig Krispenz [mailto:lkris...@redhat.com]
> >> Sent: Wednesday, April 29, 2015 9:22 AM
> >> To: thierry bordaz
> >> Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com
> >> Subject: Re: [Freeipa-users] deleting ipa user
> >>
> >>
> >> On 04/29/2015 03:14 PM, thierry bordaz wrote:
> >>
> >>
> >>    On 04/29/2015 02:43 PM, Andy Thompson wrote:
> >>
> >>
> >>                    -----Original Message-----
> >>                    From: Martin Kosek [mailto:mko...@redhat.com]
> >>                    Sent: Wednesday, April 29, 2015 8:31 AM
> >>                    To: Andy Thompson; freeipa-users@redhat.com
> >> <mailto:freeipa-users@redhat.com> ; Ludwig Krispenz; Thierry
> >>                    Bordaz
> >>                    Subject: Re: [Freeipa-users] deleting ipa user
> >>
> >>                    On 04/29/2015 01:26 PM, Andy Thompson wrote:
> >>
> >>                            I'm trying to delete an IPA account and I get a
> generic
> >> "operations error"
> >>
> >>                    when trying to remove it.  It looks like something is
> messed up
> >> with the
> >>                    group object.  The user doesn't show up in the
> ipausers group and
> >> there also
> >>                    isn't a group object for the user in question.  Here is
> the error
> >> from the
> >>                    attempt.
> >>
> >>                            [29/Apr/2015:07:21:32 -0400] referint-plugin -
> >> _update_all_per_mod:
> >>                            entry
> >> cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting
> >>                            "member:
> >> uid=<username>,cn=users,cn=accounts,dc=domain,dc=com"
> >>
> >>                    failed
> >>
> >>                            (16)
> >>                            [29/Apr/2015:07:21:32 -0400] referint-plugin -
> >> _update_all_per_mod:
> >>                            entry
> >>                            ipaUniqueID=3897c894-e764-11e4-b05b-
> >>
> >>                    005056a92af3,cn=hbac,dc=domain,dc=
> >>
> >>                            com: deleting "memberUser:
> >>
> >>    uid=<username>,cn=users,cn=accounts,dc=domain,dc=com" failed
> >> (16)
> >>                            [29/Apr/2015:07:21:32 -0400]
> >> ldbm_back_delete - conn=0 op=0 Turning a
> >>                            tombstone into a tombstone!
> >>                            "nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> >>
> >>                    f0abc1a8,cn=<username>,cn=group
> >>
> >>                            s,cn=accounts,dc=domain,dc=com"; e:
> >> 0x7fcc84226070, cache_state: 0x0,
> >>                            refcnt: 1
> >>                            [29/Apr/2015:07:21:32 -0400] managed-
> entries-plugin -
> >> mep_del_post_op:
> >>                            failed to delete managed entry
> >>
> >>    (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
> error (1)
> >>                            [29/Apr/2015:07:21:32 -0400]
> >> ldbm_back_delete - conn=0 op=0 Turning a
> >>                            tombstone into a tombstone!
> >>                            "nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> >>
> >>                    f0abc1a8,cn=<username>,cn=group
> >>
> >>                            s,cn=accounts,dc=domain,dc=com"; e:
> >> 0x7fcc84226070, cache_state: 0x0,
> >>                            refcnt: 1
> >>                            [29/Apr/2015:07:21:32 -0400] managed-
> entries-plugin -
> >> mep_del_post_op:
> >>                            failed to delete managed entry
> >>
> >>    (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
> error (1)
> >>
> >>                    This is the first time I see this error. CCing Ludwig or
> Thierry
> >> to advise.
> >>
> >>                    Andy, please also include FreeIPA and 389-ds-base
> packages
> >> versions so that
> >>                    Thierry and Ludwig know what to look at.
> >>
> >>
> >>            Here you go
> >>
> >>            ipa-server-4.1.0-18.el7_1.3.x86_64
> >>            389-ds-base-1.3.3.1-15.el7_1.x86_64
> >>
> >>            Thanks much
> >>
> >>            -andy
> >>
> >>
> >>
> >>    Hello,
> >>
> >>    I wonder it is not a similar issue I hit
> >> https://fedorahosted.org/389/ticket/48165. What differs is
> >> '_update_all_per_mod' logs but could be a consequence of the same bug.
> >>
> >>
> >> I think what differs taht in the ticket there is an attempt to delete
> >> an existng entry, but in the log snippet provided it attempts to
> >> delete a tombstone entry (an entry which was already deleted).
> >> So the errors logged by DS seem to be ok, but why does IPA want to
> >> delete an already deleted user ? but mybe only the mep plugin finds a
> >> tombstone and tries to delete it.
> >>
> >> What was the command executed, is the result the same if repeated ?
> >>
> >>
> > I attempted using the web interface initially
> >   and then tried using ipa user-del <username> to see if it gave any more
> detail.
> were both attempts at 2015:07:21:32 ? or do you have more errors in the
> error log ?

I had errors from the other delete attempts but they were the same errors at 
different times.  I can send my entire log to you offline if it would be 
helpful.

> >
> > More info though, this is a replicated environment and  I just tried 
> > deleting
> it on the replica server and it completed successfully so it appears I might
> have a replication issue going on?  Hopefully I didn't mess something up
> doing that, should have checked the logs there first.
> well, if you cannot delete on one server, but do it on the other this looks 
> like
> servers were not consistent before
> > I see this in the logs on the replica
> >
> > [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin -
> agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer
> failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8,
> CSN 5540deb8000300030000): Operations error (1). Will retry later.
> now the replica tries to replicate the delete and has the same failures as 
> your
> direct delete. Do you have other replicas ? Is the delete replicated to other
> replicas ?

I've got two replicas.  The initial error was on the first replica server I 
installed.  I do not see the same error on the replica server.  I was able to 
delete the user on the second replica using ipa user-del but now the "failed to 
replay" error above is cycling in the logs on the second replica.  So it seems 
that the replica I tried to delete the user on initially is still trying to 
send a delete event to the second replica server and it is failing because the 
object is indeed gone from that replica since the delete completed successfully.

-andy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to