can you do the followin search on both servers ?

ldapsearch -LLL -o ldif-wrap=no -h xxx p xxx -x -D "cn=directory manager" -w xxx -b "dc=xxx.... " "(&(objectclass=nstombstone)(nsuniqueid=7e1a1f87-e82611e4-99f1b343-f0abc1a8))" nscpentrywsi | grep -i objectClass

-----Original Message-----
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 10:07 AM
To: Andy Thompson
Cc: thierry bordaz; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user


On 04/29/2015 03:40 PM, Andy Thompson wrote:
-----Original Message-----
From: Ludwig Krispenz [mailto:lkris...@redhat.com]
Sent: Wednesday, April 29, 2015 9:22 AM
To: thierry bordaz
Cc: Andy Thompson; Martin Kosek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] deleting ipa user


On 04/29/2015 03:14 PM, thierry bordaz wrote:


        On 04/29/2015 02:43 PM, Andy Thompson wrote:


                        -----Original Message-----
                        From: Martin Kosek [mailto:mko...@redhat.com]
                        Sent: Wednesday, April 29, 2015 8:31 AM
                        To: Andy Thompson; freeipa-users@redhat.com
<mailto:freeipa-users@redhat.com> ; Ludwig Krispenz; Thierry
                        Bordaz
                        Subject: Re: [Freeipa-users] deleting ipa user

                        On 04/29/2015 01:26 PM, Andy Thompson wrote:

                                I'm trying to delete an IPA account and I get a
generic
"operations error"

                        when trying to remove it.  It looks like something is
messed up
with the
                        group object.  The user doesn't show up in the
ipausers group and
there also
                        isn't a group object for the user in question.  Here is
the error
from the
                        attempt.

                                [29/Apr/2015:07:21:32 -0400] referint-plugin -
_update_all_per_mod:
                                entry
cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com: deleting
                                "member:
uid=<username>,cn=users,cn=accounts,dc=domain,dc=com"

                        failed

                                (16)
                                [29/Apr/2015:07:21:32 -0400] referint-plugin -
_update_all_per_mod:
                                entry
                                ipaUniqueID=3897c894-e764-11e4-b05b-

                        005056a92af3,cn=hbac,dc=domain,dc=

                                com: deleting "memberUser:

        uid=<username>,cn=users,cn=accounts,dc=domain,dc=com" failed
(16)
                                [29/Apr/2015:07:21:32 -0400]
ldbm_back_delete - conn=0 op=0 Turning a
                                tombstone into a tombstone!
                                "nsuniqueid=7e1a1f87-e82611e4-99f1b343-

                        f0abc1a8,cn=<username>,cn=group

                                s,cn=accounts,dc=domain,dc=com"; e:
0x7fcc84226070, cache_state: 0x0,
                                refcnt: 1
                                [29/Apr/2015:07:21:32 -0400] managed-
entries-plugin -
mep_del_post_op:
                                failed to delete managed entry

        (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
error (1)
                                [29/Apr/2015:07:21:32 -0400]
ldbm_back_delete - conn=0 op=0 Turning a
                                tombstone into a tombstone!
                                "nsuniqueid=7e1a1f87-e82611e4-99f1b343-

                        f0abc1a8,cn=<username>,cn=group

                                s,cn=accounts,dc=domain,dc=com"; e:
0x7fcc84226070, cache_state: 0x0,
                                refcnt: 1
                                [29/Apr/2015:07:21:32 -0400] managed-
entries-plugin -
mep_del_post_op:
                                failed to delete managed entry

        (cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com) -
error (1)
                        This is the first time I see this error. CCing Ludwig or
Thierry
to advise.

                        Andy, please also include FreeIPA and 389-ds-base
packages
versions so that
                        Thierry and Ludwig know what to look at.


                Here you go

                ipa-server-4.1.0-18.el7_1.3.x86_64
                389-ds-base-1.3.3.1-15.el7_1.x86_64

                Thanks much

                -andy



        Hello,

        I wonder it is not a similar issue I hit
https://fedorahosted.org/389/ticket/48165. What differs is
'_update_all_per_mod' logs but could be a consequence of the same bug.


I think what differs taht in the ticket there is an attempt to delete
an existng entry, but in the log snippet provided it attempts to
delete a tombstone entry (an entry which was already deleted).
So the errors logged by DS seem to be ok, but why does IPA want to
delete an already deleted user ? but mybe only the mep plugin finds a
tombstone and tries to delete it.

What was the command executed, is the result the same if repeated ?


I attempted using the web interface initially
   and then tried using ipa user-del <username> to see if it gave any more
detail.
were both attempts at 2015:07:21:32 ? or do you have more errors in the
error log ?
I had errors from the other delete attempts but they were the same errors at 
different times.  I can send my entire log to you offline if it would be 
helpful.

More info though, this is a replicated environment and  I just tried deleting
it on the replica server and it completed successfully so it appears I might
have a replication issue going on?  Hopefully I didn't mess something up
doing that, should have checked the logs there first.
well, if you cannot delete on one server, but do it on the other this looks like
servers were not consistent before
I see this in the logs on the replica

[29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin -
agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer
failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8,
CSN 5540deb8000300030000): Operations error (1). Will retry later.
now the replica tries to replicate the delete and has the same failures as your
direct delete. Do you have other replicas ? Is the delete replicated to other
replicas ?
I've got two replicas.  The initial error was on the first replica server I installed.  I 
do not see the same error on the replica server.  I was able to delete the user on the 
second replica using ipa user-del but now the "failed to replay" error above is 
cycling in the logs on the second replica.  So it seems that the replica I tried to 
delete the user on initially is still trying to send a delete event to the second replica 
server and it is failing because the object is indeed gone from that replica since the 
delete completed successfully.

-andy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to