> You got a first replica where you failed to delete the entry.
> You got a second replica where you succeeded to delete the entry.
> 
> On first replica you can see messages like:
> 
> [29/Apr/2015:07:21:32 -0400] ldbm_back_delete - conn=0 op=0 Turning a
> tombstone into a tombstone! "nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=com"; e:
> 0x7fcc84226070, cache_state: 0x0, refcnt: 1
> 
> On the second replica you can see messages like:
> 
> [29/Apr/2015:09:35:40 -0400] NSMMReplicationPlugin -
> agmt="cn=meTomdhixnpipa01.domain.com" (mdhixnpipa01:389): Consumer
> failed to replay change (uniqueid 7e1a1f87-e82611e4-99f1b343-f0abc1a8,
> CSN 5540deb8000300030000): Operations error (1). Will retry later.
> 
> 
> On the first replica, you had difficulties to retrieve the entry and finally 
> had to
> remove 'nsuniqueid' from the filter to retrieve this entry
> 
> dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
> ...
> nscpentrywsi: objectClass;vucsn-5540deb8000000030000: nsTombstone ...
> nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
> ...
> 
> 
> On the second replica you can the entry:
> 
> dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
> ...
> nscpentrywsi: objectClass;vucsn-5540deb8000300030000: nsTombstone ...
> nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-f0abc1a8
> 
> 
> Note that the entry retrieved on the first replica has nsuniqueid=7e1a1f82..
> while the entry retrieved on the second replica has nsuniqueid=7e1a1f87 ...
> 
> It differs '2' instead of '7'. So this is not the same entry (from 
> replication point
> of view).
> 
> The error reported in the first replica was about Turning a tombstone into a
> tombstone! "nsuniqueid=7e1a1f87...
> 
> 
> The error reported in the second replica was also about
> Consumer failed to replay change (uniqueid 7e1a1f87...
> 
> 
> So I think the entry you dumped on the first replica is not (should not be) 
> the
> one we are looking for.

It appears that f82 is the user object and f87 is the group object.  So you are 
right, I don't think f82 is what we were looking for, it just happened to have 
the username in it when I grepped without filtering the uniqueid.  I'm not sure 
why it was having problems with the user group object, but I don't have 
individual group objects showing up for any local accounts I've created.

All that being said, I put 389-ds-base-1.3.3.1-16.el7_1.x86_64 on the box 
yesterday and the error has not shown since.  So I'm not sure if it was because 
of the minor upgrade or cycling the daemon.

Is there any way to find the root cause of this?  And is it normal that 
individual group objects are not created for users?  I thought I remembered 
reading somewhere that they were derived and not static entries?   The few 
accounts I have on there were created in the web interface, most of my users 
are all trust users.

> Although it could be two entries having the same DN but that was deleted,
> added and then deleted again.
> 
> The difficulty is to retrieve it (on the first replica) as we cannot specify 
> its
> 'nsuniqueid' to retrieve it.
> May be you can retrieve it with its
> (&(objectclass=nstombstone)(ipauniqueid=94dc1638-e826-11e4-878a-
> 005056a92af3))
> 
> 
> thanks
> thierry
> 
> 
> 
> 
>       dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>       nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>       nscpentrywsi: modifyTimestamp;adcsn-
> 5540be0c000200040002;vucsn-5540be0c000200040002: 20150429111607Z
>       nscpentrywsi: modifiersName;adcsn-5540be0c000200040001;vucsn-
> 5540be0c000200040001: uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
>       nscpentrywsi: nsAccountLock;adcsn-5540be0c000200040000;vucsn-
> 5540be0c000200040000: TRUE
>       nscpentrywsi: krbLastSuccessfulAuth;adcsn-
> 5537c9b2000000030000;vucsn-5537c9b2000000030000: 20150422161526Z
>       nscpentrywsi: memberOf;adcsn-5537c2f5000400030000;vucsn-
> 5537c2f5000400030000:
> cn=ipausers,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>       nscpentrywsi: memberOf;vucsn-5537c2f5000400030000:
> ipaUniqueID=3897c894-e764-11e4-b05b-
> 005056a92af3,cn=hbac,dc=mhbenp,dc=lin
>       nscpentrywsi: ipaNTSecurityIdentifier;adcsn-
> 5537a1b1000300040001;vucsn-5537a1b1000300040001: S-1-5-21-1257946092-
> 587846975-4124201916-1003
>       nscpentrywsi: passwordGraceUserTime;adcsn-
> 55369200000400040000;vucsn-55369200000400040000: 0
>       nscpentrywsi: krbPasswordExpiration;adcsn-
> 55369200000200040005;vucsn-55369200000200040005: 20150720180532Z
>       nscpentrywsi: userPassword;adcsn-55369200000200040004;vucsn-
> 55369200000200040004:
> {SHA512}pzLvO+jHoXAi0/TLZ+WpN8vaQFqDYBwSyk12Zoa+5GpjGVMPgK9I+
> KquavoJWv6JmVnf7Vokqlm85zbYXjMt1Q==
>       nscpentrywsi: krbExtraData;adcsn-55369200000200040003;vucsn-
> 55369200000200040003:: AAJskTZVa2FkbWluZEBNSEJFTlAuTElOAA==
>       nscpentrywsi: krbPrincipalKey;adcsn-55369200000200040002;vucsn-
> 55369200000200040002::
> MIIBnKADAgEBoQMCAQGiAwIBA6MDAgEBpIIBhDCCAYAwaKAbMBmgAwIB
> AKESBBBNSEJFTlAuTElOZ2ZlaWdooUkwR6ADAgESoUAEPiAA10A0LqF2hLTC5E
> P9ArjKyMvDEuNh7SFNR7uvAba4+sh8WRRVbT7DMByrlPvn1A0miart7lTDnRh
> 89BAbMFigGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKE5MDegAwIB
> EaEwBC4QAAc6BbDvPFsSAeCRjrt2yDkm0fiQWTt++y/lbFKDbSkZYSJpFnzSRaaI
> WW0AMGCgGzAZoAMCAQChEgQQTUhCRU5QLkxJTmdmZWlnaKFBMD+gAw
> IBEKE4BDYYACTz15wnIUghoNOEkvYZJUbcrXhAyFQsW4OpxTCzxInn+33pOsEX
> PlsdsYfc6uJeVl2bN/IwWKAbMBmgAwIBAKESBBBNSEJFTlAuTElOZ2ZlaWdooT
> kwN6ADAgEXoTAELhAAE9mQlmMsVmCvtRwKXdSf9b7CFCi4qZjwMj1cTwzD1
> FH6/IbmDSvRMUVw8wE=
>       nscpentrywsi: krbTicketFlags;adcsn-55369200000200040001;vucsn-
> 55369200000200040001: 128
>       nscpentrywsi: krbLastPwdChange;adcsn-
> 55369200000200040000;vucsn-55369200000200040000: 20150421180532Z
>       nscpentrywsi: mepManagedEntry;vucsn-55364a42000700040000:
> cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>       nscpentrywsi: displayName;vucsn-55364a42000100040000:
> UserName
>       nscpentrywsi: cn;vucsn-55364a42000100040000: UserName
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipaobject
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000: person
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000: top
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000: ipasshuser
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> inetorgperson
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> organizationalperson
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> krbticketpolicyaux
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> krbprincipalaux
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000: inetuser
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> posixaccount
>       nscpentrywsi: objectClass;vucsn-55364a42000100040000:
> ipaSshGroupOfPubKeys
>       nscpentrywsi: objectClass;vucsn-55364a42000600040000:
> mepOriginEntry
>       nscpentrywsi: objectClass;vucsn-5537a1b1000300040000:
> ipantuserattrs
>       nscpentrywsi: objectClass;vucsn-5540deb8000000030000:
> nsTombstone
>       nscpentrywsi: loginShell;vucsn-55364a42000100040000: /bin/bash
>       nscpentrywsi: initials;vucsn-55364a42000100040000: GF
>       nscpentrywsi: gecos;vucsn-55364a42000100040000: UserName
>       nscpentrywsi: homeDirectory;vucsn-55364a42000100040000:
> /home/username
>       nscpentrywsi: uid;vucsn-55364a42000100040000;mdcsn-
> 55364a42000100040000: username
>       nscpentrywsi: mail;vucsn-55364a42000100040000:
> usern...@mhbenp.lin <mailto:usern...@mhbenp.lin>
>       nscpentrywsi: krbPrincipalName;vucsn-55364a42000100040000:
> usern...@mhbenp.lin <mailto:usern...@mhbenp.lin>
>       nscpentrywsi: givenName;vucsn-55364a42000100040000: Gregg
>       nscpentrywsi: sn;vucsn-55364a42000100040000: Name
>       nscpentrywsi: creatorsName;vucsn-55364a42000100040000:
> uid=admin,cn=users,cn=accounts,dc=mhbenp,dc=lin
>       nscpentrywsi: createTimestamp;vucsn-55364a42000100040000:
> 20150421130152Z
>       nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-f0abc1a8
>       nscpentrywsi: ipaUniqueID;vucsn-55364a42000100040000: 94d31f06-
> e826-11e4-878a-005056a92af3
>       nscpentrywsi: parentid: 3
>       nscpentrywsi: entryid: 384
>       nscpentrywsi: uidNumber;vucsn-55364a42000100040000: 1249000003
>       nscpentrywsi: gidNumber;vucsn-55364a42000100040000: 1249000003
>       nscpentrywsi: nsParentUniqueId: 3763f192-e76411e4-99f1b343-
> f0abc1a8
>       nscpentrywsi: nstombstonecsn: 5540deb8000000030000
>       nscpentrywsi: nscpEntryDN:
> uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>       nscpentrywsi: entryusn: 52322
>       nscpentrywsi: passwordHistory;adcsn-55369200000500040000;vdcsn-
> 55369200000500040000;deletedattribute;deleted:
> 
> 
>               dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
>       f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>               nscpentrywsi: dn: nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
>       f0abc1a8,cn=username,cn=groups,cn=accounts,dc=mhbenp,dc=lin
>               ...
>               nscpentrywsi: objectClass;vucsn-5540deb8000300030000:
> nsTombstone ...
>               nscpentrywsi: nsUniqueId: 7e1a1f87-e82611e4-99f1b343-
> f0abc1a8
> 
> 
> 
>               On the first replica (where you failed to delete the entry and
> where you can
>               see the replication errors)
>               dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> 
>       f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>               nscpentrywsi: dn: nsuniqueid=7e1a1f82-e82611e4-99f1b343-
> 
>       f0abc1a8,uid=username,cn=users,cn=accounts,dc=mhbenp,dc=lin
>               ...
>               nscpentrywsi: objectClass;vucsn-5540deb8000000030000:
> nsTombstone ...
>               nscpentrywsi: nsUniqueId: 7e1a1f82-e82611e4-99f1b343-
> f0abc1a8
> 
> 
>               This is not the same entry. It is like two entries with the same
> 'uid' were
>               created.
>               Also note that those two entries were deleted on the same
> replica (replica
>               ID=3: likely the second replica) almost at the same time.
> 
>               The errors is logged on the first replica about "
>               nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> 
>       f0abc1a8,cn=<username>,cn=groups,cn=accounts,dc=domain,dc=co
> m".
> 
>               So I think the entry you dumped on the first replica, is not the
> one we were
>               looking at.
>               The entry (nsuniqueid=7e1a1f87-e82611e4-99f1b343-
> f0abc1a8) should
>               exists, but was not returned by the search.
> 
> 
> 
> 
> 
> 


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to