> -----Original Message-----
> From: thierry bordaz [mailto:tbor...@redhat.com]
> Sent: Wednesday, April 29, 2015 12:28 PM
> To: Andy Thompson
> Cc: Ludwig Krispenz; Martin Kosek; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] deleting ipa user
> 
> On 04/29/2015 05:58 PM, Andy Thompson wrote:
> 
> 
>                       dn:
>                       nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
>               f0abc1a8,cn=username,cn=groups,c
> 
>                       n=accounts,dc=mhbenp,dc=lin
>                       nscpentrywsi: dn:
>                       nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
>               f0abc1a8,cn=username,cn=groups,c
> 
>                       n=accounts,dc=mhbenp,dc=lin
>                       nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: posixgroup
>                       nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: ipaobject
>                       nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000:
> 
>               mepManagedEntry
> 
>                       nscpentrywsi: objectClass;vucsn-
> 55364a42000500040000: top
>                       nscpentrywsi: objectClass;vucsn-
> 5540deb8000300030000: nsTombstone
>                       nscpentrywsi:
>                       cn;vucsn-55364a42000500040000;mdcsn-
> 55364a42000500040000: gfeigh
>                       nscpentrywsi: gidNumber;vucsn-
> 55364a42000500040000: 1249000003
>                       nscpentrywsi: description;vucsn-
> 55364a42000500040000: User private
>                       group for username
>                       nscpentrywsi: mepManagedBy;vucsn-
> 55364a42000500040000: uid=
>                       username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>                       nscpentrywsi: creatorsName;vucsn-
> 55364a42000500040000: cn=Managed
>                       Entries,cn=plugins,cn=config
>                       nscpentrywsi: modifiersName;vucsn-
> 55364a42000500040000: cn=Managed
>                       Entries,cn=plugins,cn=config
>                       nscpentrywsi: createTimestamp;vucsn-
> 55364a42000500040000:
>                       20150421130152Z
>                       nscpentrywsi: modifyTimestamp;vucsn-
> 55364a42000500040000:
>                       20150421130152Z
>                       nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-
> 99f1b343-f0abc1a8
>                       nscpentrywsi: ipaUniqueID;vucsn-
> 55364a42000500040000:
>                       94dc1638-e826-11e4-878a-005056a92af3
>                       nscpentrywsi: parentid: 4
>                       nscpentrywsi: entryid: 385
>                       nscpentrywsi: nsParentUniqueId: 3763f193-
> e76411e4-99f1b343-f0abc1a8
>                       nscpentrywsi: nstombstonecsn:
> 5540deb8000300030000
>                       nscpentrywsi: nscpEntryDN:
> 
>       cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>                       nscpentrywsi: entryusn: 52327
> 
>                       thought I tried that before, apparently not.
> 
>               ok, so we have the entry on one server, the csn of the
> objectclass:
>               tombstone is :
> 
>               objectClass;vucsn-5540deb8000300030000: nsTombstone
> 
>               , which matches the csn in the error log:
> 
>               Consumer failed to replay change (uniqueid 7e1a1f87-
> e82611e4-99f1b343-
>               f0abc1a8, CSN 5540deb8000300030000): Operations error (1)
> so the state of
>               the entry is as expected.
> 
>               Now we nend to find it on the other server. If the search for
> the & filter with
>               nstombstone does return nothing, could you try
> 
> 
>       If I run ldapsearch -LLL -o ldif-wrap=no -H ldap://mdhixnpipa01 -x -D
> "cn=directory manager" -W  -b "dc=mhbenp,dc=lin"
> "(&(objectclass=nstombstone))" I get below.  If I add nsuniqueid to the filter
> it returns nothing on the primary server
> 
>       dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>       memberOf: cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>       memberOf: ipaUniqueID=3897c894-e764-11e4-b05b-
> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
>       ipaNTSecurityIdentifier: S-1-5-21-1257946092-587846975-4124201916-
> 1003
>       krbLastSuccessfulAuth: 20150421180533Z
>       krbPasswordExpiration: 20150720180532Z
>       userPassword::
> e1NIQTUxMn1wekx2TytqSG9YQWkwL1RMWitXcE44dmFRRnFEWUJ3U3lrMTJ
> ab2ErNUdwakdWTVBnSzlJK0txdWF2b0pXdjZKbVZuZjdWb2txbG04NXpiWVh
> qTXQxUT09
>       krbExtraData:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
>       krbPrincipalKey::
> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A
>       0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmd
> mZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/l
> bFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJT
> mdmZWlnaKFBMD
>       +gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCz
> xInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTEl
> OZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZ
> jwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
>       krbLoginFailedCount: 0
>       krbTicketFlags: 128
>       krbLastPwdChange: 20150421180532Z
>       krbLastFailedAuth: 20150421180457Z
>       mepManagedEntry:
> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>       displayName: user name
>       cn: User Name
>       objectClass: ipaobject
>       objectClass: person
>       objectClass: top
>       objectClass: ipasshuser
>       objectClass: inetorgperson
>       objectClass: organizationalperson
>       objectClass: krbticketpolicyaux
>       objectClass: krbprincipalaux
>       objectClass: inetuser
>       objectClass: posixaccount
>       objectClass: ipaSshGroupOfPubKeys
>       objectClass: mepOriginEntry
>       objectClass: ipantuserattrs
>       objectClass: nsTombstone
>       loginShell: /bin/bash
>       initials: GF
>       gecos: User Name
>       homeDirectory: /home/username
>       uid: username
>       mail: usern...@mhbenp.lin <mailto:usern...@mhbenp.lin>
>       krbPrincipalName: usern...@mhbenp.lin
> <mailto:usern...@mhbenp.lin>
>       givenName: User
>       sn: name
>       ipaUniqueID: 94d31f06-e826-11e4-878a-005056a92af3
>       uidNumber: 1249000003
>       gidNumber: 1249000003
>       nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
> 
> 
> 
> In fact, nsuniqueid does not appear in this entry. It is a distinguished RDN 
> but
> is missing. Did you run the command with 'nscpentrywsi' requested attribute.
> May be nsuniqueid was hidden for that reason but I would be surprised.
> 
> nsuniqueid is a key element of replication. I wonder how replication can find
> the entry itself. nsuniqueid could be in the index but then the entry is
> corrupted.
> 
> 

If I request the nscpentrywsi attribute I get 

dn: 
nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: dn: 
nsuniqueid=7e1a1f82-e82611e4-99f1b343-f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: 
modifyTimestamp;adcsn-5540be0c000200040002;vucsn-5540be0c000200040002: 
20150429111607Z
nscpentrywsi: 
modifiersName;adcsn-5540be0c000200040001;vucsn-5540be0c000200040001: 
uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: 
nsAccountLock;adcsn-5540be0c000200040000;vucsn-5540be0c000200040000: TRUE
nscpentrywsi: memberOf;adcsn-5537c2f5000200040000;vucsn-5537c2f5000200040000: 
cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: memberOf;vucsn-5537c2f5000200040000: 
ipaUniqueID=3897c894-e764-11e4-b05b-005056a92af3,cn=hbac,dc=mhbenp,dc=lin
nscpentrywsi: 
ipaNTSecurityIdentifier;adcsn-5537a1b1000300040001;vucsn-5537a1b1000300040001: 
S-1-5-21-1257946092-587846975-4124201916-1003
nscpentrywsi: 
krbLastSuccessfulAuth;adcsn-55369202000100040000;vucsn-55369202000100040000: 
20150421180533Z
nscpentrywsi: 
passwordGraceUserTime;adcsn-55369200000400040000;vucsn-55369200000400040000: 0
nscpentrywsi: 
krbPasswordExpiration;adcsn-55369200000200040006;vucsn-55369200000200040006: 
20150720180532Z
nscpentrywsi: 
userPassword;adcsn-55369200000200040005;vucsn-55369200000200040005: 
{SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
nscpentrywsi: 
krbExtraData;adcsn-55369200000200040004;vucsn-55369200000200040004:: 
AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
nscpentrywsi: 
krbPrincipalKey;adcsn-55369200000200040003;vucsn-55369200000200040003:: 
MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5EP9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIBEaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaIWW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAwIBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEXPlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooTkwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1FH6/IbmDSvRMUVw8wE=
nscpentrywsi: 
krbLoginFailedCount;adcsn-55369200000200040002;vucsn-55369200000200040002: 0
nscpentrywsi: 
krbTicketFlags;adcsn-55369200000200040001;vucsn-55369200000200040001: 128
nscpentrywsi: 
krbLastPwdChange;adcsn-55369200000200040000;vucsn-55369200000200040000: 
20150421180532Z
nscpentrywsi: 
krbLastFailedAuth;adcsn-553691dd000000040000;vucsn-553691dd000200040003: 
20150421180457Z
nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000: 
cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: displayName;vucsn-55364a42000100040000: UserName
nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetorgperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: organizationalperson
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbticketpolicyaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: krbprincipalaux
nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
nscpentrywsi: objectClass;vucsn-55364a42000100040000: posixaccount
nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaSshGroupOfPubKeys
nscpentrywsi: objectClass;vucsn-55364a42000600040000: mepOriginEntry
nscpentrywsi: objectClass;vucsn-5537a1b1000300040000: ipantuserattrs
nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone
nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
nscpentrywsi: initials;vucsn-55364a42000100040000: GF
nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
nscpentrywsi: homeDirectory;vucsn-55364a42000100040000: /home/username
nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-55364a42000100040000: 
username
nscpentrywsi: mail;vucsn-55364a42000100040000: usern...@mhbenp.lin
nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000: usern...@mhbenp.lin
nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
nscpentrywsi: sn;vucsn-55364a42000100040000: Name
nscpentrywsi: creatorsName;vucsn-55364a42000100040000: 
uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: createTimestamp;vucsn-55364a42000100040000: 20150421130152Z
nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 
94d31f06-e826-11e4-878a-005056a92af3
nscpentrywsi: parentid: 3
nscpentrywsi: entryid: 385
nscpentrywsi: uidNumber: 1249000003
nscpentrywsi: gidNumber: 1249000003
nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-f0abc1a8
nscpentrywsi: nstombstonecsn: 5540deb8000000030000
nscpentrywsi: nscpEntryDN: uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
nscpentrywsi: entryusn: 57524
nscpentrywsi: 
passwordHistory;adcsn-55369200000500040000;vdcsn-55369200000500040000;deletedattribute;deleted:

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to